- Feb 4, 2016
- 549
Android malware is not unusual; we’ve even seen it pop up in Google’s Marketplace app on several occasions. Increasing in both sophistication and stealthiest, Android malware has mostly been a nuisance on third-party marketplaces, such as in China, where it continues to thrive.
Android Matrix Trojan – Old Threat, New Tricks.
This type of malware has been reported for a while now, but recently it has been surfacing bundled with some new apps and featuring some new behavioral tricks.
Disguised as an app called VideoCharm, it lures users by saying that it enables them to view porn-related videos. However, it also repeatedly prompts the user to install other apps – sometimes even different versions of the same app – that are malicious. If you hit “Cancel,” the popup will disappear for a while, but it will show up again prompting the installation of other apps.
Takeaway
We all know that malware is constantly evolving – may it be for Android or PC – and this latest variation of the Android Matrix Trojan proves just that. It’s highly recommended that everyone should download and install a mobile security solution that able to identify such threats, and make sure that all apps are downloaded from trusted sources (e.g. Google Play). Sideloading apps from third party marketplaces brigs forward security risks that could compromise your personal and private data.
Android Matrix Trojan – Old Threat, New Tricks.
This type of malware has been reported for a while now, but recently it has been surfacing bundled with some new apps and featuring some new behavioral tricks.
Disguised as an app called VideoCharm, it lures users by saying that it enables them to view porn-related videos. However, it also repeatedly prompts the user to install other apps – sometimes even different versions of the same app – that are malicious. If you hit “Cancel,” the popup will disappear for a while, but it will show up again prompting the installation of other apps.
When the user starts the applications, the dropper with the MD5: 27ad60e62ff86534c0a9331e9451833d, decrypts the “s_p_tqvrzgtnzk” file from the “assets” folder of the application with the “1452760219951” key, resulting in a malicious apk file (for e.g. MD5: 78fbac978d9138651678eb63e7dfd998). This seems to be an extra layer of protection to avoid detection by security scanners.
Fig. 2 – Encrypted file and the decryption key.
The app displays a list of porn videos from an attacker-controlled server, and downloads four zip files on the SD card, in the “sdcard\ijimu\push\.res” location.
What’s even more interesting is that the four zip files are used for rooting the host device (DevRoot2.zip, base_ge4.3.zip, base_lt4.3.zip, winkle.zip) so that it can manipulate system files and update its own app without asking for permission.
Fig. 3 – URLS pointing to zip files containing exploits.
These four files contain system exploits for various Android distributions. If, for instance, it detects the Android API 18 or lower, it uses the dev_root, dev_root2, loss_4.3, or symlink-adbd packages. It also spots if the device is running Android API 18 and Android API 19 so it can use CVE-2015-3636, CVE-2015-1805 or larger4.3. The interesting part is that there are three other exploits, such as winkle, DevRoot2, and Huawei-Hisilicon. To this end, it’s safe to speculate that the attackers are targeting popular Android distributions, such as Lollypop, Jelly Bean and KitKat, in the hopes of infecting and rooting as many as possible.
Fig. 4 – List of exploits for rooting the device.
Interestingly, when using the CVE-2015-3636 exploit it performs some additional validations of the device. It checks whether it runs in a virtual machine, whether it’s a 32 or 64 bit processor, and if it’s a Lenovo Android device. If so, it then deletes three “bin” files (“nac_server”, “nac_ue”, and “nds”).
While some of the installed apps are usually porn related, there’s the occasional exception where it downloads apps with cat images (see image below). However, most involve some sort of nudity and explicit content.
Fig. 5 – App that displays cat images.
While the JSON pulled from the attacker-controlled server contains information about the name of each package to be downloaded, the URL from where to download it, and a unique ID, it’s noteworthy that not all security vendors detected some of these malicious packages, at the time of this analysis. Particularly, thev9_2016032401.apk was not detected by any security vendor.
Fig. 6 – JSON example with information on fetched packages.
The malware also records its every activity in a log file (“root_trace”) that keeps a detailed record of which exploits were used in the rooting process and which one succeeded.
Takeaway
We all know that malware is constantly evolving – may it be for Android or PC – and this latest variation of the Android Matrix Trojan proves just that. It’s highly recommended that everyone should download and install a mobile security solution that able to identify such threats, and make sure that all apps are downloaded from trusted sources (e.g. Google Play). Sideloading apps from third party marketplaces brigs forward security risks that could compromise your personal and private data.
Last edited:
