Mobile devices bundled with malware?

 2015年09月11日 16:01  5666

alps 2206 alps 709 alps 809t alps a24 alps gq2002 alps h9001 alps n3 alps n9389 alps primuxzeta alps zp100 andorid p8 concorde smartphone6500 djc touchtalk huawei g510 icefox razor itouch lenovo s860 noname s806i sesonn n9500 sesonn p8 star n8000 star n9500 xiaomi mi3 xido x1111

accessing the internet

acquire and send sms content

install apps

access, store, and modify call data and data about the smartphone

access the list of contacts

obtain gps location data, and other functions

by allowing the above listed behavior, a remote attacker could use the modified app to do any of the following:

help obtain location information

record phone calls

make app store purchases

initiate wire fraud

send premium sms messages, and a lot more

so far, there are two threat families involved with the g data research:

android.trojan.uupay

android.trojan.andup

these malware families can include fake versions of facebook, twitter, google play store, and other apps.

grey industry

this begs the question – how is malware installed on the mobile device? the answer may surprise you – “middle-men”. g data offers that the logical explanation to getting malware installed is the use of middle men that write apps to the firmware, or device rom.

in china, some low-end mobile devices are sold at a low cost. the device manufacture makes money not only from the consumer, but also from developers – the developers pay manufacturers to install their apps. this practice illustrates a “grey industry” in china.

customized rom (firmware) is not difficult to acquire. also, in order to take advantage of the financial gains involved in distributing malware via the grey industry, some companies dump the rom from an official device, add or modify the apps in the rom,  then burn a new rom to the device. the rom can be distributed on forums as well. this could prove enticing to a consumer that searches the internet for the newest “features” and “updates” for their device.

analysis

we took a look at a sample of the malware andup to learn more about its behavior. the sample we analyzed was a modified version of the social app facebook. it included other features not found in the official version, for example, to take a record of which applications are currently installed on the device. the trojan contains another function to download and install 3rd party apps via a command & control mode.

one major hint that the app wasn’t legit was the developer’s certificate indicated it is not from facebook, but from a company called “易連彙通”, or elinktek. this company is known to produce low-end android tablets based on mtk resolution (1280 x 800).

the following is an example of permissions requested by uupay:

android.permission.get_tasks android.permission.get_package_size android.permission.isntall_packages android.permission.delete_packages android.permission.restart_packages android.permission.receive_boot_completed android.permission.internet android.permission.read_phone_state android.permission.access_network_state android.permission.access_wifi_state android.permission.write_external_storage android.permission.write_sms android.permission.read_sms android.permission.send_sms

the uupay trojan supports the following actions:

connect to remote servers s.fsptogo.com and s.kavgo.com

silently download and install apps

get device id info

get browser history

get logcat info and upload to a remote website

support c&c

identification

there were symptoms to help identify the various spyware and malware:

in almost every variant that the g data security experts have analyzed, the app has been poorly programmed and harbours an enormous security risk. sensitive data are largely sent unencrypted or with a hardcoded key that can be easily decrypted. thus, even other attackers can steal data or take control of the malware. in addition, none of the examined samples checks in advance whether it exchanges data with the correct server. in this case man-in-the-middle-attacks could be easily implemented.

mobile device owners might check their application manager occasionally to help identify if new applications were installed without consent.

mitigation

we echo g data’s recommendation that consumers research mobile devices prior to purchasing, and to install mobile security software. some questions to consider prior to purchasing:

does the seller of the mobile device offer support?

have there been reports of unexpected behavior with the device?

if you determine that your mobile device has been compromised, there are mainly two choices; contact the manufacturer for assistance on replacing the device rom (firmware), or abandon using the compromised device.

we also give special thanks to g data for their helpful contributions.

reference: 

http://blog.0xid.com/2015/09/mobile-devices-bundled-with-malware/

credit：

0xid labs, and min (spark) zheng & xun di of alibaba mobile security team

本文來自合作夥伴“阿裡聚安全”.