– By Trustlook Research Team
You thought you installed an accelarating tool, when in fact a backdoor has sneaked into your mobile phone.
Leidian OS was recently promoted by the Qihoo 360 security tool. It claimed that if you flash Leidian OS into your mobile phone, the phone will run 30% faster and will save more battery life.
We analyzed Leidian OS and its installation process, and found that the Leidian OS actually contains a backdoor function which flashes a customized recovery image into the mobile phone using the fastboot tool. It also uninstalls system updates from other security apps (most of which are pre-installed apps by mobile phone vendors) according to a predefined blacklist and whitelist. The uninstallation of these apps will expose the mobile phone to security vulnerabilities.
Leidian OS also installs the Leidian App market, Leidian browser, Leidian assistance, Leidian acceleration and the 360 security tool without the user’s consent. Moreover, it modifies the system’s certificate to install apps in the /system directory and to get the SYSTEM privilege. As a consequence, it can execute critical operations and hook important functions to monitor system activities. It also leverages Qihoo360’s root tool to get the root access. Last but not least, the Qihoo360 security tool doesn’t give a clear notification to users when the Leidian OS is being flashed. Instead, it just tells the user to “experience a much faster mobile phone” by making a simple click in Fig. 1. It doesn’t specify the risk to the user after the process. All these actions make the user more exposed to an unsecure environment.
After our analysis, we found that Leidian OS is developed by two companies called “KuRuiMeng” and “CHIMA”, which are subsidiaries of Qihoo360. Leidian OS has embedded several modules of the Qihoo360 mobile security tool as well.
Below is the detailed analysis, along with the steps to install the Leidian OS.
As shown in Fig. 1 and 2, by installing the latest Qihoo360 security tool in the Windows version and clicking “more” in the lower right corner to get more tools, you will find “Leidian OS” to open the installation window.
Fig.1 – The entrance to the Leidian OS in Qihoo360 security tool – Step 1.
Fig.2 – The entrance to the Leidian OS in Qihoo360 security tool – Step 2.
Fig.3 – The installation window of the Leidian OS in Qihoo360 security tool
When clicking the green “experience instantly” button in Fig. 3 above, the Qihoo360 security tool begins to download the related files and applications, which are saved in
C:\Documents and Settings\Administrator\Application Data\CleanAndroid.
Fig.4 – Begin to install the Leidian OS to the mobile phone
By monitoring the downloading process, we found that these files were downloaded by the360CleanHelper.exe process.
We also found the related JSON file containing the downloading information as shown in Fig. 5 and the json file in Table 1.
Fig.5 – 360CleanHelper.exe drops the Leidian OS installation files
Table.1 – The JSON file containing the downloading information.
Fig.6 – Downloading information of the Flash tool
Fig.7 – The flash tool package
Fig.8 – The flash tool package in the Cleandroid directory
Fig.9 – Files in “tools” directory of the “Cleandroid” directory
From the tools package info we see that the Leidian OS is installed by flashing the recovery.img into the
phone with the fastboot tool. Then it uses an “adb” tool to install apks into the phone. According to the
JSON file in Table 1 the download address is dl.so.keniub.com. By monitoring the ip (22.214.171.124)
and querying its DNS info we find that the download server is hosted by Qihoo360. From the
Leidian OS’s customer service webpage
(http://leidianos.com/privacy.html) we find that the company’s address is same with that of Qihoo360,
which further reveals the development and operational relationship of Leidian OS and Qihoo360.
Fig.10 – The download address of the Leidian OS
Fig.11 – The DNS query info of the download address
As shown in Fig. 9, the details of the files in the CleanAndroid directory are explained as follows:
- ChiMaster.zip contains an apk file, which is used for auto-starting after the boot process and to start some important services.
- com.chima.customizationassist contains a file called Hurricane.apk.
- It’s used for uninstalling or disabling some apps according to a blacklist and a whitelist.
- com.leidianos.osspecial.zip contains an App which realizes a custom App loader.
- It uses this tool to automatically capture the WeChat bonus in WeChat chat groups.
- This feature is popular and is used to attract more users to install Leidian OS.
- But it will make the WeChat App unsecure, resulting in the possible disclosure of the WeChat username and password.
- leidianLauncher.zip displays the UI of the Leidian OS and starts some apps.
- leidianProvider.zip uninstalls some system apps according to a blacklist and a whitelist.
- donghua.zip displays animation after the mobile phone is booted.
- netd.zip is for network management and the firewall function.
- update.zip contains a dexdump tool to parse the dex files.
- UpdateCentre.zip is for rooting the mobile phone and hooking some important functions.
Here we explain the certificate of the attached files:
leidianLauncher.apk file’s certificate is shown in Fig. 12:
Fig.12 Certificate of the leidianLauncher.apk file
chima.apk file’s certificate is shown in Fig. 13:
Fig.13 Certificate of the chima.apk file
As shown in Fig. 12 and Fig. 13, they are developed by KuRuiMeng and CHIMA, which are subsidiaries of Qihoo360.
Below is the analysis to three important Apps (ChiMa.apk,updateCenter.apk,Hurricane.apk).
The package name is com.chima.vulcan. It is installed in the /system directory in the user’s phone and has the same
certificate with the OS so it can get the system privilege as shown in Fig. 14. Therefore, it will start after the mobile
phone starts. It collects user’s information, including IMEI/Serial Number/operator/gender/location/CPU info/running
processes list, etc.
Fig.14 – The SYSTEM uid owned by the Chima.apk
This App drops a file called libchimahelper.so in its assets directory, and it hooks three important functions:
bindService, startService, getContentProvider in dalvik layer (as shown in Fig. 15). This allows it to monitor
and control some communications between the components in the system.
Fig.15 – The hooking to bindService function in chima.apk
The App also implements many sensitive remote execution commands, such as installing Apps remotely,
disabling Components remotely, etc. The command list is shown in Fig. 16.
Fig.16 – Some remote execution commands in the Chima.apk
As shown in Fig. 17, we found that multiple function calls in this app are implemented by reflection.
The method is often used by malware for evasion purposes in anti-virus detection.
Fig. 17 – Reflection calling to some functions used in Chima.apk
The app is for rooting and hooking the system (as shown in Fig. 18). It allows for full control of the mobile phone.
Fig. 18 – The hooking to many functions in the updateCerter.apk file
The app also hooks the native functions, as shown in Fig. 19.
Fig.19 – The hooking to the native functions
Root module RootMan is located in com.qihoo.permmgr.RootMan package. After our verification we found that
this module is the same as that in Qihoo360’s root tool (in the name of “360 Root By One Click”).
By concatenating the strings of different mobile phone models and related info, we send them to Qihoo360’s
server as shown in Fig. 20. Then we got different root exploits to execute as shown in Fig. 21.
Fig.20 – Concatenation of a special URL for downloading respective root exploits using specific phone models
Fig.21 – Execution of the root exploit in updateCentre
The app is for uninstalling the apps in a user’s mobile phone according to a list, including most of the mobile
phone vendors’ updates and security applications. After this uninstallation process, a user’s mobile phone
will be less secure. The uninstallation App list is as follows:
com.policydm com.lenovo.safecenter.plugin Com.wssyncmldm
Suggestions: Go to your mobile phone vendor’s official website to find the correct recovery image file and reflash your mobile phone if Leidian OS has been installed.