Jump to content
Usr6

Trojan Hides in ROM of Chinese Android Devices

By Usr6, in Stiri securitate

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted

In China, some mobile phone geeks like to refresh their Android machines with images from the Internet. For some mobile phone dealers, this makes good business. They can earn extra money from refreshing phone ROMs for those users who want to erase a lot of useless applications in the original ROMs.

However, making an Android ROM image is not very difficult, which makes refreshing Android devices dangerous. Once malware has been added to an image, it is hard to get rid of it.

Last week, McAfee Labs acquired a sample found in some Android images from China. Among other interesting behavior, it downloads JavaScript code from a control server, and runs the code within WebView. McAfee Labs detects this threat as Android/Huigezi.A.

Android/Huigezi.A runs at boot up, and when SMS messages come in and calls go out. It runs as a service in the background, and poses as a system service. Once started, it sets up a timer to restart itself every 30 minutes.

service-168x300.png

The malware sends sensitive information–IMEI, IMSI and OS version–to a remote server, and get a response string in JSON format. The string contains nonstandard Base64-encoded JavaScript code. The malware injects the code to a piece of HTML, and writes it to a file under “/data/data/com.android.systemservice/cache/webviewCache/” on the device. The filename is the integer value of the current time.

acess1-1024x313.png

The following image shows one of the HTML files being injected with the malicious encoded JavaScript.

javascript-1024x114.png

The decoded JavaScript:

decoded-1024x144.png

Android/Huigezi.A sets up the binding of classes with a JavaScript interface for the HTML, and loads the HTML in the WebView client. The functions in the dex file will be executed by the JavaScript in the HTML.

addjavascriptinterface-1024x311.png

The payloads of this malware depend on the JavaScript downloaded from the control server. According to its code, the malware can take the following actions:

  • Send SMS messages
  • Post sensitive information–IMEI, IMSI, device model name, phone number, carrier name–to remote server
  • Download some install packages and install them silently
  • Retrieve SMS messages and store them to a hash map
  • Set up SMS messages to be blocked
  • Download a dex file, and load the class in it
  • Create a shell for the remote server

shell.png

Android/Huigezi.A is very different than other mobile Trojans. It is more flexible for hackers to launch attacks and harder for victims to become aware of its presence. Most important: It could hide in an Android image. Users probably need to refresh their ROM images, or get root privileges and uninstall the malware with command tools, not easy task for most people.

Sursa:http://blogs.mcafee.com/mcafee-labs/trojan-hides-rom-android-device

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...