Tuesday, March 31, 2015

Trojan using Baidu Cloud Push service found on Google Play Store



Looks like Remote Administration Trojan (RAT), threat named Cajino using Baidu Cloud Push, a new way to communicate with server, wasn't only on alternative Android markets. Trojan was found on official Google Play Store with more than 50.000 downloads for more than a month.


Cajino was available on offical Play Store
Cajino available on Google Play Store


"Some samples, under a certain developer, were signed during November 2014, and were available in Google Play since December. The apps were available in the main market until late January, when Google removed them. It seems that some others were available from September until late January."  - Eleven Paths



How it looks today?


After few days I published post on my blog, detection rate for this RAT wasn't as suspected, only 4 antivirus vendors detected it.



 These days detection of this threat is getting better.











Cajino is still available for download from alternative Android markets.

Application is still available to download from attackers webpage hxxp://guangzhouhan1.dothome.co.kr/music.apk.

Credits for discovering Cajino Trojan on Google Play Store belongs to security researchers from Eleven Paths.


NEW MD5:

14885b84914651da4990586b36022900
eedc44e72023e75c024ff22e6423a4d6
5ba62baeda7264c83fe57e1b2b1f2533
3853b2b74c0f68bfb4ca5b080df9addd


Tuesday, March 17, 2015

Remote administration trojan using Baidu Cloud Push service



I recently discovered a remote administration trojan (RAT), there is nothing interesting about it but what is is that it is the first one I saw that communicates with server through Baidu Cloud Push notifications.
Baidu Cloud Push service is similar to Google Cloud Messaging (GCM) it allows you to send data from your server to your users' Android-powered device, and also to receive messages from devices on the same connection. Looks like this trojan is the first one discovered using it this technique, unlike GCM that was first used in malicious applications in 2013 detected by Kaspersky lab.

It can completely take control over your device. Trojan is capable of recording audio from your microphone, send SMS, make phone calls, delete files, download files, obtain location etc. It can get all your personal informations including SMS, contacts, camera pictures and upload them to Baidu cloud storage (BCS).

I found and analyzed more variants, most of them act as a legal software, some of them were Trojanized version of applications. This malware is oriented mainly on Chinese and Korean speaking countries based on strings found inside and legal apps repacked with this Trojan.

Detection rate for this application isn't very high. First time it was uploaded to Virus Total it wasn't detected by any anti-malware company (FUD).


Fully undetectable (FUD)



To this day detection rate for this sample isn't improved. Malware is detected as Android/Cajino.A trojan.


Detection after 5 months



Another interesting fact is that this Trojan is still available for download from lot of third party Android application markets
First upload was from 18. 09. 2014 on a lot of third party markets by the same developer. All of his uploaded apps on all these markets are infected with this backdoor. This developer has developer account on Google Play, probably he tried to upload it to Google Play too.


Infected apps by Android/Cajino on third party stores
Infected applications


Download rate on two third party markets it has nearly 2400 downloads based on market download counters.

Most of applications uploaded on those markets are fake apps, few of them are infected with that Trojan. 




Code analysis



After launching, malware looks like regular application, where right after start, it requests you to update to new version.





But it doesn't matter whether you choose yes or no, because no update will be downloaded.
There isn't defined any functionality behind those buttons.


Update function not defined


In other cases there can be loaded app-name related URL in webview.
But that's all you can expect as user, other more suspicious behavior is behind curtain.

After start there is push registration binding service through the onCreate method in the MainActivity, and registered receiver handling these messages.


Receiver for processing the push messages


Class PushMessageReceiver takes care about messages received from server, but firstly is checks whether received message contains string "all" or unique identifier(IMEI) for device. Based on that are received commands executed on all bots or just one specified by IMEI.


First check




Trojan can respond to 11 commands received from server.
  • photo - uploads photo from your gallery
  • contact - uploads phone contacts
  • call_log - uploads call history
  • upload_message - uploads text messages
  • location - uploads location of the user's device
  • send_message - send text message
  • phone -uploads phone info including phone number
  • list_file -uploads file paths of files on external storage
  • upload_file - uploads file from device by path
  • delete_file -delete file by file path
  • download - download file
  • call_number - makes phone call
  • record - record microphone for designated period of time, and upload it
  • combine - combination of four commands (phone, contact, call_log, upload_message) commands





All of requested informations are first stored in file (/mnt/sdcard/DCIM/Camera/%file_name%) then uploaded to Baidu cloud storage (BCS) and removed from device.

I contacted the third party markets that still has this application available for download. I hope they will soon pull them off the market.



Sample info 

 

MD5:
39581735EE24D54F93C8C51D8C39B506
9342B4ECBB7EB045EDCDB6E0E339E415
5F385407A0E547F809AC4BE8B1119B04
B3814CA9E42681B32DAFE4A52E5BDA7A
9342B4ECBB7EB045EDCDB6E0E339E415


Tuesday, March 10, 2015

Russian ransomware pretends to be from Ministry internal affairs of Russia



Ransomware can lock your phone accusing you from viewing scenes of pedophilia and other perversions. In order to unlock your phone it demands (500 rubles ~ 7.6 Euro) within 36 hours.

Malware comes with simple icon and name ("DDDDDDDDD").


App icon


Overview

After launching you will be prompted to grant device admin access to the application.


Request device admin access


Window requesting device administrator rights is pushed to foreground every second, it's practically impossible to cancel it. User is forced to grand administrator access to application. 
After activating your phone will be locked and if you want your phone to by unlocked again you have to pay ransom (500 rubles ~ 7.6 Euro). To not look so suspicious malware is accousing you for viewing porhograpy, scenes of rape, bestiality, pedohpilia and other perversions. If you will not pay within 36 hours, then it threatens to you, that it will send SMS to all your contacts that your phone has been locked for viewing scenes of  pedophilia after which all data will be deleted and phone will be locked forever! Pretty drastic right, who wants to have his phone to be locked forever :)


Locked screen requesting ransom


Malware will not encrypt your data and will not send SMS to all your contacts.





Cleaning

If you got infected there is a way to get rid of it, but firstly you need to have Android Debuge Bridge (ADB) on your computer. ADB is command line tool that lets you communicate with an emulator or connected Android device.

Firstly you have to stop running process executing the command: adb shell am force-stop commer.version.mantle

When process is stopped you have to remove granted device administrator access to this application from Settings -> Security -> Device administrators and deactivate it. When you try to disable it you will get made-up message "Internal application error".


Internal application error


After that ransom window starts again. You have to stop running process again and your malicious application is removed from list of device administrator applications. Now you have to uninstall application and never run it again.

Interesting on this malware is that only few strings are encrypted not all of them.

Detection rate for this sample isn't very high, when malware was uploaded on Virus Total only four vendors were detecting it.


Virus Total detection rate



Sample info

MD5: 5F7FE140E6447076567A5B0A80ADB723
Package name: commer.version.mantle



Monday, March 9, 2015

Banker backdoor makes your device his b*tch




Russian backdoor makes your phone its bot by receiving commands from command & control (C&C) server or through Google Cloud Messaging (GCM) push notification. Malware attempts to obtain your credit card information, while acting as Play Market.



Overview

By installing application you will get a "romantic" icon in your launcher with fishy name "System".


Backdoor icon


In cases like that, when application icon is so tempting to launch with such a credible name, you should by all means resist the temptation to launch it, and immediately remove it.

When you can't resist, just like I couldn’t, you will receive and unexpectedly high phone bill :).

After tapping on a "hungry lady" you will be prompted to grant device admin access to the app.


Request device admin access


As explanation to request device admin access are "Terms of Use Google Play" to get free content.

Of course I was excited, so I tapped on ACTIVATE to get rid of that annoying window, so I could see the rest of the pretty lady.

Application doesn't show any other window, but starts to push notifications and hides the launching icon. That's when it starts to run in background. Notification doesn't look like it has something in common with previously started application, but acts as a Play Market request.


Pushed notification




Opening the notification you will be requested to enter your credit card information because of some authorization error caused by Google Play.


Billing information window

 

Credit card information is then sent to remote server.



Background service

Backdoor will start "update" service that will firstly register device on C&C server by sending unique information of your device (IMEI, phone number, country, operator name) and receives bot identification number (bot_id) and password (bot_pwd) to identify itself when communicating with server.

Bot establishes a connection in max 5 second intervals or less requesting commands from server.
There are four different commands:
 - set_intercept - intercept received SMS’s, can intercept all received messages or just ones filtered by incoming number 
 - set_interval - interval of server communication, server contact interval can be max 5 seconds
 - send_sms - send SMS
 - set_server - change the C&C server

It also has a spy activity defined in the manifest, where broadcast receiver for incoming SMS is set. All of your received messages are sent to remote server, where some of them or all of them, depends on received command, aren't even shown to you.

There is also implemented communication by push notifications from Google Cloud Messaging. Based on this, push messages can invoke notification requesting credit card information, (mentioned earlier) or sending SMS.



Sample info 

MD5: c6d18185d52200ed73187d355facb2fa
Package name: "com.android.services"
Server: http://play-googlecom.com/controller.php