Unmasking Android Malware: A Deep Dive into a New Rootnik Variant, Part III
Credit to Author: Kai Lu| Date: Sun, 09 Jul 2017 14:00:00 +0000
In this final blog in the Rootnik series we will finish our analysis of this new variant. Read Part 2 here
Let’s start by looking into the script shell rsh.
Analysis of the script shell
Through our investigation we are able to see how the script shell works:
- First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed.
The following is the content of the file .ir.
- Next, it writes some files into the folder files/.snow/, and into the system folders /system/bin/ and /system/xbin/.
- It then installs six system apps in the folder /system/priv-app/.
- It then generates busybox into the folder /system/bin/, .rainin into the folder /system/xbin/, and library libsoon.so into the folder /system/lib/.
- It then replaces the Android system’s executable file debuggerd.
The following is the content of the file .dg.
- Next, it executes some executable files in the folder /system/bin/ and /system/xbin/ and then generates a new device policy file.
The following is the content of the file a.xml.
I next analyzed the ELF file .rainin in the folder /system/xbin/. It’s used to inject the library libsoon.so into the processes vold, netd, as well as zygote.
Figure 1. The function injecting libsoon.so in process
The following is the key code snippet in the function sub_94C8(int a1, const char *a2, char *a3, char *a4).
Figure 2. The key code snippet in the function sub_94C8
The following is the log file after executing the ELF file /system/xbin/.rainin
Figure 3. The log file after executing /system/xbin/.rainin
When the .so injection is successful, it can invoke the function solib_entry in libsoon.so.
Figure 4. The function solib_entry in libsoon.so
The definition of the function checkInstallRecoveryEtc() is shown below.
Figure 5. The function checkInstallRecoveryEtc()
It checks the mode of some binary files as well as some installed apps. It then restores InstallRecovery script, and checks to see if the SU daemon is running. Finally, it checks to see if the app “com.fly.me.ssp.be” has been installed. If not, it could run this app.
The ELF file /system/bin/.author is a su binary. The following is its usage:
Figure 6. The usage of /system/bin/.author
Looking into the installed apps
As shown in Tables 1 and 2 in Part II of this blog series, the malware app is able to launch some activities in the installed app. Combining them with the installed apps in script shell rsh, we have listed these installed apps as follows:
Table 1. The list of installed apps
From column labeled “Detection” you can see that Fortinet’s AV engine has detected and identified them as malware.
You can also see that most of them were installed in the system app folder /system/priv-app/. The other two apps were installed in the folder /data/app/ through the command “pm install”.
The APK files listed in Table 1 can be generated by two methods: via http request and by being hard-coded. Regardless of whether the hard-coded or http request method is used, the data generated is decrypted. The two decryption algorithms used are shown in the Appendix at the end of this blog.
Additionally, we also found that more apps (including, but not limited to the following) had been installed in the folder /system/priv-app/.
Figure 7. Apps installed in folder /system/priv-app/ by the malware
We also found that a large number of apps (including, but not limited to the following) had been installed in the folder /data/app/.
Figure 8. Apps installed in folder /data/app/ by the malware
Malicious Behaviors Observed
The Rootnik malware performed a number of malicious behaviors. These include, but are not limited to the following:
- App and ad promotion
In addition to gaining root privileges on the device, the rootnik malware promotes apps and ads to generate revenue for its creator. Its app and ad promotion is especially aggressive and annoying to the user. The following are some screenshots of its app promotion:
Figure 9. The screenshots of app promotion
- Normal and silent app installation
The following is the screenshot of normal app installation and silent app installation.
Figure 10. The screenshots of normal and silent app installations
- Push notifications
The malware pushes a notification and induces the user to click it.
Figure 11. Push notification
- Sends SMS messages
The malware can send SMS messages to aspecific subscription number and then delete it in the SMS box. It can also send an SMS message through adb command.
- Downloads files
We found that many files and folders were also downloaded in folder /sdcard/. They include apk files, pictures, log files, etc. These files are generated by the installed apps, and some of them perform malicious behaviors.
Figure 12. Files and folders dropped into folder /sdcard/
Workflow of Rootnik
Finally, I drew the following workflow diagram of how the new Android Rootnik variant works.
Figure 13. An overview of the Android Rootnik malware’s workflow
Solution
The malware sample is detected by Fortinet Antivirus signature Android/Rootnik.AE!tr.
The traffic communicating with remote C2 server can be detected by Fortinet IPS signature Android.Rootnik.Malware.C2.
Summary
From the analysis, we can see that this new Rootnik variant is able to disguise itself as a legal app. The developer of the malware app was able to repackage a legal app from Google Play and insert malicious codes into it. This disguise can trick even careful users.
Additionally, this new variant is rather powerful and uses advanced anti-debugging techniques to prevent reversing engineering, as well as different types of encryption for files and strings. The malware also uses some open-sourced Android root exploit tools and the MTK root scheme from dashi root tool to gain root access on the Android device. The root exploits can be downloaded from a remote http server. It’s also easy for the developer to update the root scheme of this malware and extend its functionality. Finally, after successfully gaining root privileges on the device, the rootnik malware can perform a variety of malicious operations, including app and ad promotion, silent app installation, and pushing notifications and sending SMS messages, etc.
Appendix
Rootnik Malware Sample
Package Name: net.gotsun.android.wifi_configuration
SHA256: 42e2e975edc9972c37bfc13742cd83e43eca3d708e5ea087a0a1fcaf63cbae09
Additional APK files dropped into system partition by Rootnik malware
Package Name: com.para.android.power
SHA256: 80e4c74758207df2cf495c4afcfb6aa7e8bd3b67443a7804f43ccc21f9d5b167
Package Name: com.facebook.application
SHA256: e512260cb90aa2bc915d53bd9003a0452a856c1e9694c023baf8de6bd6b7e2ae
Package Name: com.android.service.power.on
SHA256: 1a4534ce4b89bdace361ad6c26e75c06e44d95004a87e8ab990982d5f54c6135
Package Name: com.android.fk.json.tool
SHA256: 2d4caa4a5e26e2cfdb217d9d41c206746b5ff0c0a095d7c2e4858f233d6625c3
Package Name: com.fly.me.ssp.be
SHA256: e72e49fca9a0e3a6de8168f40fc9e4b28c8baf27d00a73127263541c7022cd71
Package Name: org.app.info.grate
SHA256: 9604f15fb36abf47566269b9c741bc41112dd66c4b06febf21980c2d6e581637
Package Name: com.android.tools.receiver
SHA256: 843603e582f0453acce0de8b9443c5a9e2c551ddbab7c9aa480ce44da47c5ab0
Package Name: com.android.upon.hash
SHA256: 6834bd13f87d6dbb67210838ec7c44e33bb65342091634d614a2868164089125
Package Name: com.setting.dysdtool
SHA256: e5f727bca0b9900bcc3124e9df6d83b32df1306acfaeb40551b2b47746a36959
Package Name: com.sang.you.mima.yuanhou
SHA256: 9f74ab6a92848fcc7861f9fc00b0db3260db0809bc16c519fbcdf644030c72a8
Package Name: com.music.cloud.app.player
SHA256: e48dfb52676a66ee83221fe517408e56dff1fbcf4ee2392d18a8aa31cdcedc9b
Package Name: com.android.shopping.eupdate
SHA256: 7a27c887c26e068ca28188574b6d731587360f24bcd03033b01e42afb16585e5
C2 Servers
api[.]gadmobs.com
t[.]eqqsl.com
t[.]pkqqsl.com
t[.]plsskq.com
t[.]wqctkq.com
gp[.]miaoxia123.com
sh[.]pencilli.com
down[.]zigyfdeb.com
down[.]smykttum.com
sys[.]appsolo.net
sys[.]gadmobs.com
sys[.]iappzone.net
sys[.]alowcar.com
The decryption program for the hard-coded method
The decryption program for the http request method