The Lie of "thunderous" speed – an Analysis of the Leidian OS and its Apps

– By Trustlook Research Team

You thought you installed an accelerating tool, when in fact a backdoor has sneaked into your mobile phone.

Leidian OS was recently promoted by the Qihoo 360 security tool. It claimed that if you flash Leidian OS into your mobile phone, the phone will run 30% faster and will save more battery life.

We analyzed Leidian OS and its installation process, and found that the Leidian OS actually contains a backdoor function which flashes a customized recovery image into the mobile phone using the fastboot tool. It also uninstalls system updates from other security apps (most of which are pre-installed apps by mobile phone vendors) according to a predefined blacklist and whitelist. The uninstallation of these apps will expose the mobile phone to security vulnerabilities.

Leidian OS also installs the Leidian App market, Leidian browser, Leidian assistance, Leidian acceleration and the 360 security tool without the user’s consent. Moreover, it modifies the system’s certificate to install apps in the /system directory and to get the SYSTEM privilege. As a consequence, it can execute critical operations and hook important functions to monitor system activities. It also leverages Qihoo360’s root tool to get the root access. Last but not least, the Qihoo360 security tool doesn’t give a clear notification to users when the Leidian OS is being flashed. Instead, it just tells the user to “experience a much faster mobile phone” by making a simple click in Fig. 1. It doesn’t specify the risk to the user after the process. All these actions make the user more exposed to an unsecure environment.

After our analysis, we found that Leidian OS is developed by two companies called “KuRuiMeng” and “CHIMA”, which are subsidiaries of Qihoo360. Leidian OS has embedded several modules of the Qihoo360 mobile security tool as well.

Below is the detailed analysis, along with the steps to install the Leidian OS.

As shown in Fig. 1 and 2, by installing the latest Qihoo360 security tool in the Windows version and clicking “more” in the lower right corner to get more tools, you will find “Leidian OS” to open the installation window.

Fig.1 – The entrance to the Leidian OS in Qihoo360 security tool – Step 1. 

Fig.2 – The entrance to the Leidian OS in Qihoo360 security tool – Step 2. 

3

Fig.3 – The installation window of the Leidian OS in Qihoo360 security tool

When clicking the green “experience instantly” button in Fig. 3 above, the Qihoo360 security tool begins to download the related files and applications, which are saved in

 C:Documents and SettingsAdministratorApplication DataCleanAndroid.

4

Fig.4 – Begin to install the Leidian OS to the mobile phone

By monitoring the downloading process, we found that these files were downloaded by the360CleanHelper.exe process.

We also found the related JSON file containing the downloading information as shown in Fig. 5 and the json file in Table 1.

5

Fig.5 –  360CleanHelper.exe drops the Leidian OS installation files

dl_info_json

Table.1 – The JSON file containing the downloading information.

6

Fig.6 – Downloading information of the Flash tool

7

Fig.7 – The flash tool package

8

Fig.8 – The flash tool package in the Cleandroid directory

9

Fig.9 – Files in “tools” directory of the “Cleandroid” directory

From the tools package info we see that the Leidian OS is installed by flashing the recovery.img into the phone with the fastboot tool. Then it uses an “adb” tool to install apks into the phone. According to the JSON file in Table 1 the download address is dl.so.keniub.com. By monitoring the ip (101.199.109.90) and querying its DNS info we find that the download server is hosted by Qihoo360. From the Leidian OS’s customer service webpage

(http://leidianos.com/privacy.html) we find that the company’s address is same with that of Qihoo360,

which further reveals the development and operational relationship of Leidian OS and Qihoo360.

10

Fig.10 – The download address of the Leidian OS

11

Fig.11 – The DNS query info of the download address

As shown in Fig. 9, the details of the files in the CleanAndroid directory are explained as follows:

  • ChiMaster.zip contains an apk file, which is used for auto-starting after the boot process and to start some important services.
  • com.chima.customizationassist contains a file called Hurricane.apk.
    • It’s used for uninstalling or disabling some apps according to a blacklist and a whitelist.
  • com.leidianos.osspecial.zip contains an App which realizes a custom App loader.
    • It uses this tool to automatically capture the WeChat bonus in WeChat chat groups.
    • This feature is popular and is used to attract more users to install Leidian OS.
    • But it will make the WeChat App unsecure, resulting in the possible disclosure of the WeChat username and password.
  • leidianLauncher.zip displays the UI of the Leidian OS and starts some apps.
  • leidianProvider.zip uninstalls some system apps according to a blacklist and a whitelist.
  • donghua.zip displays animation after the mobile phone is booted.
  • netd.zip is for network management and the firewall function.
  • update.zip contains a dexdump tool to parse the dex files.
  • UpdateCentre.zip is for rooting the mobile phone and hooking some important functions.

Here we explain the certificate of the attached files:

leidianLauncher.apk file’s certificate is shown in Fig. 12:

12

Fig.12 Certificate of the leidianLauncher.apk file

chima.apk file’s certificate is shown in Fig. 13:

13

Fig.13 Certificate of the chima.apk file

As shown in Fig. 12 and Fig. 13, they are developed by KuRuiMeng and CHIMA, which are subsidiaries of Qihoo360.

Below is the analysis to three important Apps (ChiMa.apk,updateCenter.apk,Hurricane.apk).

1. ChiMa.app

The package name is com.chima.vulcan. It is installed in the /system directory in the user’s phone and has the same

certificate with the OS so it can get the system privilege as shown in Fig. 14. Therefore, it will start after the mobile

phone starts. It collects user’s information, including IMEI/Serial Number/operator/gender/location/CPU info/running

processes list, etc.

14

Fig.14 – The SYSTEM uid owned by the Chima.apk

This App drops a file called libchimahelper.so in its assets directory, and it hooks three important functions:

bindService, startService, getContentProvider in dalvik layer (as shown in Fig. 15). This allows it to monitor

and control some communications between the components in the system.

15

Fig.15 – The hooking to bindService function in chima.apk

The App also implements many sensitive remote execution commands, such as installing Apps remotely,

disabling Components remotely, etc. The command list is shown in Fig. 16.

16

Fig.16 – Some remote execution commands in the Chima.apk

As shown in Fig. 17, we found that multiple function calls in this app are implemented by reflection.

The method is often used by malware for evasion purposes in anti-virus detection.

17

Fig. 17 – Reflection calling to some functions used in Chima.apk

2. updateCerter.apk 

The app is for rooting and hooking the system (as shown in Fig. 18). It allows for full control of the mobile phone.

18

Fig. 18 – The hooking to many functions in the updateCerter.apk file

The app also hooks the native functions, as shown in Fig. 19.

19

Fig.19 – The hooking to the native functions

Root module RootMan is located in com.qihoo.permmgr.RootMan package. After our verification we found that

this module is the same as that in Qihoo360’s root tool (in the name of “360 Root By One Click”).

By concatenating the strings of different mobile phone models and related info, we send them to Qihoo360’s

server as shown in Fig. 20. Then we got different root exploits to execute as shown in Fig. 21.

20

Fig.20 – Concatenation of a special URL for downloading respective root exploits using specific phone models

21

Fig.21 – Execution of the root exploit in updateCentre

3. Hurricane.apk 

The app is for uninstalling the apps in a user’s mobile phone according to a list, including most of the mobile

phone vendors’ updates and security applications. After this uninstallation process, a user’s mobile phone

will be less secure. The uninstallation App list is as follows:

com.aliyun.fota
com.tencent.nanji.updater
com.yulong.android.ota.client
com.facebook.katana
com.bbk.updater
com.android.guanli
com.lenovo.safecenter
com.dxkj.xsb
com.smartisanos.updater
com.android.ota
com.nokia.update
com.adups.fota
gn.com.android.update
com.lge.update
cn.nubia.systemupdate
com.android.update
com.android.GioneeSysUpdate
com.lenovo.safecenterpad
com.huawei.systemmanager
com.htc.UpgradeSetup
com.lenovo.ota
com.meizu.flyme.update
com.yulong.android.seccenter
com.icoolme.android.upgrade
com.zte.zdm
com.zxly.assist
com.mediatek.GoogleOta
com.tianqi2345
com.oppo.trafficmonitor
com.huawei.android.hwouc
com.android.jrdfota
com.yunos.securityagent
com.htc.updater
com.aurora.netmanage
com.hmct.updater
com.qualcomm.update
com.browser2345
com.android.activate
com.mgyun.shua.su
com.android.provision.system
com.newbee.datausage
com.oppo.safe
com.oppo.virusdetect
com.iqoo.secure
com.sec.android.fwupgrade
com.romjd.android
com.hisense.updater
com.oppo.ota
com.yulong.android.ota
com.wsdm
com.ahong.update
com.sec.android.fotaclient
com.policydm

com.lenovo.safecenter.plugin

Com.wssyncmldm

Suggestions: Go to your mobile phone vendor’s official website to find the correct recovery image file and reflash your mobile phone if Leidian OS has been installed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s