– Trustlook Research Team
Trustlook Research Team recently researched a complicated malware which utilizes Rootkit SDK to facilitate malicious behaviors.
Package name: fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl
- The sample uses a popular root SDK (Root Genius, com.shuame.rootgenius.sdk) to root the user’s phone in order to get root privilege. It first checks if the phone has been rooted. If not, it will collect the phone’s device info (such as the Android version/SDK version/product ID and so on) and upload that information to the server to find the appropriate root exploit. It then downloads the root exploit to the phone, uncompresses it, and decrypts it for rooting.
Fig.2. Collect the phone’s info for downloading the suitable root exploit from the server
- The sample uses the “com.android.essdk.eyou.b.b” SDK to deduct a fee from a user’s phone bill by sending an SMS to some high premium numbers. It also monitors the user’s SMS inbox and intercepts the reply SMS from the high premium numbers that notify the user the phone has just ordered some service, the filter keywords for interception are as follows: 10086/成功订购/和视频/和视界/1065/1066(some high premium number start with this num)
- The sample uses some tricks to evade static detection, such as putting together a string by joining some chars dynamically. The malware puts together the string “SMS_RECEIVED” and “WAP_PUSH_RECEIVED” to evade the static detection of the anti-virus vendor.Fig.5. Putting together the sensitive string by joining them dynamically
- The sample uses a filter to filter out the SMS that contains some keywords, these keywords are stored in a local Database located in /data/data/fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl/databases/zhifu, the database’s name is zhifu, the table’s name is block.Fig.6. The database that storing the SMS filter keywords and the AD display setting
The database’s structure is as follows: