I recently discovered a remote administration trojan (RAT), there is nothing interesting about it but what is is that it is the first one I saw that communicates with server through Baidu Cloud Push notifications.
Baidu Cloud Push service is similar to Google Cloud Messaging (GCM) it allows you to send data from your server to your users' Android-powered device, and also to receive messages from devices on the same connection. Looks like this trojan is the first one discovered using it this technique, unlike GCM that was first used in malicious applications in 2013 detected by Kaspersky lab.
It can completely take control over your device. Trojan is capable of recording audio from your microphone, send SMS, make phone calls, delete files, download files, obtain location etc. It can get all your personal informations including SMS, contacts, camera pictures and upload them to Baidu cloud storage (BCS).
I found and analyzed more variants, most of them act as a legal software, some of them were Trojanized version of applications. This malware is oriented mainly on Chinese and Korean speaking countries based on strings found inside and legal apps repacked with this Trojan.
Detection rate for this application isn't very high. First time it was uploaded to Virus Total it wasn't detected by any anti-malware company (FUD).
|Fully undetectable (FUD)|
To this day detection rate for this sample isn't improved. Malware is detected as Android/Cajino.A trojan.
|Detection after 5 months|
Another interesting fact is that this Trojan is still available for download from lot of third party Android application markets.
First upload was from 18. 09. 2014 on a lot of third party markets by the same developer. All of his uploaded apps on all these markets are infected with this backdoor. This developer has developer account on Google Play, probably he tried to upload it to Google Play too.
Download rate on two third party markets it has nearly 2400 downloads based on market download counters.
Most of applications uploaded on those markets are fake apps, few of them are infected with that Trojan.
After launching, malware looks like regular application, where right after start, it requests you to update to new version.
But it doesn't matter whether you choose yes or no, because no update will be downloaded.
There isn't defined any functionality behind those buttons.
|Update function not defined|
In other cases there can be loaded app-name related URL in webview.
But that's all you can expect as user, other more suspicious behavior is behind curtain.
After start there is push registration binding service through the onCreate method in the MainActivity, and registered receiver handling these messages.
|Receiver for processing the push messages|
Class PushMessageReceiver takes care about messages received from server, but firstly is checks whether received message contains string "all" or unique identifier(IMEI) for device. Based on that are received commands executed on all bots or just one specified by IMEI.
Trojan can respond to 11 commands received from server.
- photo - uploads photo from your gallery
- contact - uploads phone contacts
- call_log - uploads call history
- upload_message - uploads text messages
- location - uploads location of the user's device
- send_message - send text message
- phone -uploads phone info including phone number
- list_file -uploads file paths of files on external storage
- upload_file - uploads file from device by path
- delete_file -delete file by file path
- download - download file
- call_number - makes phone call
- record - record microphone for designated period of time, and upload it
- combine - combination of four commands (phone, contact, call_log, upload_message) commands
All of requested informations are first stored in file (
/mnt/sdcard/DCIM/Camera/%file_name%) then uploaded to Baidu cloud storage (BCS) and removed from device.
I contacted the third party markets that still has this application available for download. I hope they will soon pull them off the market.