Organized Crime using Rootkit – The analysis of the Triada malware

– Trustlook Research Team

Trustlook Research Team recently researched a complicated malware which utilizes Rootkit SDK to facilitate malicious behaviors.

MD5: 3B71DEBDE5F6A3E4D2E9321266DA76F7

Package name: fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl

  1. The sample uses a popular root SDK (Root Genius, com.shuame.rootgenius.sdk) to root the user’s phone in order to get root privilege. It first checks if the phone has been rooted. If not, it will collect the phone’s device info (such as the Android version/SDK version/product ID and so on) and upload that information to the server to find the appropriate root exploit. It then downloads the root exploit to the phone, uncompresses it, and decrypts it for rooting.
  2. root_checkFig.1. Check if the phone has been rootedrg_root_param

    Fig.2. Collect the phone’s info for downloading the suitable root exploit from the server

  3. The sample uses the “com.android.essdk.eyou.b.b” SDK to deduct a fee from a user’s phone bill by sending an SMS to some high premium numbers. It also monitors the user’s SMS inbox and intercepts the reply SMS from the high premium numbers that notify the user the phone has just ordered some service, the filter keywords for interception are as follows: 10086/成功订购/和视频/和视界/1065/1066(some high premium number start with this num)

sms_inteceptFig.3. Intercept the confirmation SMS sent from the high premium numbers

SMS_interception_2Fig.4. Intercept the confirmation SMS containing some special keywords

  1. The sample uses some tricks to evade static detection, such as putting together a string by joining some chars dynamically. The malware puts together the string “SMS_RECEIVED” and “WAP_PUSH_RECEIVED” to evade the static detection of the anti-virus vendor.join_the_str_dynamicallyFig.5. Putting together the sensitive string by joining them dynamically
  2. The sample uses a filter to filter out the SMS that contains some keywords, these keywords are stored in a local Database located in /data/data/fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl/databases/zhifu, the database’s name is zhifu, the table’s name is block.zhifu_dbFig.6. The database that storing the SMS filter keywords and the AD display setting

The database’s structure is as follows:

sms_block_filter_dbFig.7. The table information of the SMS filter sms_block_db_keysFig.8. All the keys of the SMS filter table

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s