Mobile devices bundled with malware?

When your purchase a mobile device, you expect the device to be free of digital threats, clear of virues, and otherwise safe to use. According to aG Data Mobile Malware Report for Q2 of 2015, more than 20 smartphone models were identified to contain modified or manipulated versions of common apps such as Facebook:

Alps 2206
Alps 709
Alps 809T
Alps A24
Alps GQ2002
Alps H9001
Alps N3
Alps N9389
Alps PrimuxZeta
Alps ZP100
Andorid P8
ConCorde SmartPhone6500
DJC touchtalk
Huawei G510
IceFox Razor
ITOUCH
Lenovo S860
NoName S806i
SESONN N9500
SESONN P8
Star N8000
Star N9500
Xiaomi MI3
Xido X1111

What are we dealing with here?

The modified apps contained additional functions, making them potentially harmful or malicious. Examples of added behavior included:

• Accessing the Internet
• Acquire and send SMS content
• Install apps
• Access, store, and modify call data and data about the smartphone
• Access the list of contacts
• Obtain GPS location data, and other functions

By allowing the above listed behavior, a remote attacker could use the modified app to do any of the following:

• Help obtain location information
• Record phone calls
• Make app store purchases
• Initiate wire fraud
• Send premium SMS messages, and a lot more

So far, there are two threat families involved with the G Data research:

• Android.Trojan.Uupay
• Android.Trojan.Andup

Grey Industry

This begs the question – how is malware installed on the mobile device? The answer may surprise you – “middle-men”. G Data offers that the logical explanation to getting malware installed is the use of middle men that write apps to the firmware, or device ROM.

In China, some low-end mobile devices are sold at a low cost. The device manufacture makes money not only from the consumer, but also from developers – the developers pay manufacturers to install their apps. This practice illustrates a “grey industry” in China.

Customized ROM (firmware) is not difficult to acquire. Also, in order to take advantage of the financial gains involved in distributing malware via the grey industry, some companies dump the ROM from an official device, add or modify the apps in the ROM,  then burn a new ROM to the device. The ROM can be distributed on forums as well. This could prove enticing to a consumer that searches the Internet for the newest “features” and “updates” for their device.

Analysis

We took a look at a sample of the malware Andup to learn more about its behavior. The sample we analyzed was a modified version of the social app Facebook. It included other features not found in the official version, for example, to take a record of which applications are currently installed on the device. The trojan contains another function to download and install 3rd party apps via a command & control mode.

One major hint that the app wasn’t legit was the developer’s certificate indicated it is not from Facebook, but from a company called “易连汇通”, or ElinkTek. This company is known to produce low-end Android tablets based on MTK resolution (1280 x 800).

android.permission.GET_TASKS
android.permission.GET_PACKAGE_SIZE
android.permission.ISNTALL_PACKAGES
android.permission.DELETE_PACKAGES
android.permission.RESTART_PACKAGES
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_WIFI_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.WRITE_SMS
android.permission.READ_SMS
android.permission.SEND_SMS

The UUPay Trojan supports the following actions:

• Connect to remote servers s.fsptogo.com and s.kavgo.com
• Silently download and install apps
• Get Device ID info
• Get browser history
• Get logcat info and upload to a remote website
• Support C&C

Identification

There were symptoms to help identify the various spyware and malware:

In almost every variant that the G DATA security experts have analyzed, the app has been poorly programmed and harbours an enormous security risk. Sensitive data are largely sent unencrypted or with a hardcoded key that can be easily decrypted. Thus, even other attackers can steal data or take control of the malware. In addition, none of the examined samples checks in advance whether it exchanges data with the correct server. In this case Man-in-the-middle-attacks could be easily implemented.

Mobile device owners might check their application manager occasionally to help identify if new applications were installed without consent.

Mitigation

We echo G Data’s recommendation that consumers research mobile devices prior to purchasing, and to install mobile security software. Some questions to consider prior to purchasing:

• Does the seller of the mobile device offer support?
• Have there been reports of unexpected behavior with the device?

With regard to the second question, examples of unexpected behavior can include extremely poor performance, a slow user interface, numerous advertisements, or the automatic installation of other apps. A quick Internet search returned results on removing the Trojans manually, which is not recommended for the non-techie.

If you determine that your mobile device has been compromised, there are mainly two choices; contact the manufacturer for assistance on replacing the device ROM (firmware), or abandon using the compromised device.

We also give special thanks to G Data for their helpful contributions.

Reference: 

http://blog.0xid.com/2015/09/mobile-devices-bundled-with-malware/

Credit：

0xID Labs, and Min (Spark) Zheng & Xun Di of Alibaba Mobile Security Team

本文来自合作伙伴“阿里聚安全”.