by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research

In this final blog in the Rootnik series we will finish our analysis of this new variant. Read Part 2 here

Let’s start by looking into the script shell rsh.

Analysis of the script shell

Through our investigation we are able to see how the script shell works:

  1. First, it writes the content of the file .ir into /system/etc/install-recovery.sh. The file install-recovery.sh is a startup script. When the android device is booted, the script can be executed.

The following is the content of the file .ir.

  1. Next, it writes some files into the folder files/.snow/, and into the system folders /system/bin/ and /system/xbin/.

  1. It then installs six system apps in the folder /system/priv-app/.

  1. It then generates busybox into the folder /system/bin/, .rainin into the folder /system/xbin/, and library libsoon.so into the folder /system/lib/.

  1. It then replaces the Android system’s executable file debuggerd.

The following is the content of the file .dg.

  1. Next, it executes some executable files in the folder /system/bin/ and /system/xbin/ and then generates a new device policy file.

The following is the content of the file a.xml.

I next analyzed the ELF file .rainin in the folder /system/xbin/. It’s used to inject the library libsoon.so into the processes vold, netd, as well as zygote.

Figure 1.  The function injecting libsoon.so in process

The following is the key code snippet in the function  sub_94C8(int a1, const char *a2, char *a3, char *a4).

Figure 2. The key code snippet in the function  sub_94C8

The following is the log file after executing the ELF file /system/xbin/.rainin

Figure 3. The log file after executing /system/xbin/.rainin

When the .so injection is successful, it can invoke the function solib_entry in libsoon.so.

Figure 4. The function solib_entry in libsoon.so

The definition of the function checkInstallRecoveryEtc() is shown below.

Figure 5. The function checkInstallRecoveryEtc()

It checks the mode of some binary files as well as some installed apps. It then restores InstallRecovery script, and checks to see if the SU daemon is running. Finally, it checks to see if the app “com.fly.me.ssp.be” has been installed. If not, it could run this app.

The ELF file /system/bin/.author is a su binary. The following is its usage:

Figure 6. The usage of /system/bin/.author

Looking into the installed apps

As shown in Tables 1 and 2 in Part II of this blog series, the malware app is able to launch some activities in the installed app. Combining them with the installed apps in script shell rsh, we have listed these installed apps as follows:

Table 1. The list of installed apps

From column labeled  “Detection” you can see that Fortinet’s AV engine has detected and identified them as malware.

You can also see that most of them were installed in the system app folder /system/priv-app/. The other two apps were installed in the folder /data/app/ through the command “pm install”.

The APK files listed in Table 1 can be generated by two methods: via http request and by being hard-coded. Regardless of whether the hard-coded or http request method is used, the data generated is decrypted. The two decryption algorithms used are shown in the Appendix at the end of this blog.

Additionally, we also found that more apps (including, but not limited to the following) had been installed in the folder /system/priv-app/.

Figure 7. Apps installed in folder /system/priv-app/ by the malware

We also found that a large number of apps (including, but not limited to the following) had been installed in the folder /data/app/.

Figure 8. Apps installed in folder /data/app/ by the malware

Malicious Behaviors Observed

The Rootnik malware performed a number of malicious behaviors. These include, but are not limited to the following:

  1. App and ad promotion

In addition to gaining root privileges on the device, the rootnik malware promotes apps and ads to generate revenue for its creator. Its app and ad promotion is especially aggressive and annoying to the user. The following are some screenshots of its app promotion:

Figure 9. The screenshots of app promotion

  1. Normal and silent app installation

The following is the screenshot of normal app installation and silent app installation.

Figure 10. The screenshots of normal and silent app installations

  1. Push notifications

The malware pushes a notification and induces the user to click it.

Figure 11. Push notification

  1. Sends SMS messages

The malware can send SMS messages to aspecific subscription number and then delete it in the SMS box. It can also send an SMS message through adb command.

  1. Downloads files

We found that many files and folders were also downloaded in folder /sdcard/. They include apk files, pictures, log files, etc. These files are generated by the installed apps, and some of them perform malicious behaviors.

Figure 12. Files and folders dropped into folder /sdcard/

Workflow of Rootnik

Finally, I drew the following workflow diagram of how the new Android Rootnik variant works.

Figure 13. An overview of the Android Rootnik malware’s workflow

Solution

The malware sample is detected by Fortinet Antivirus signature Android/Rootnik.AE!tr.

The traffic communicating with remote C2 server can be detected by Fortinet IPS signature Android.Rootnik.Malware.C2.

Summary

From the analysis, we can see that this new Rootnik variant is able to disguise itself as a legal app. The developer of the malware app was able to repackage a legal app from Google Play and insert malicious codes into it. This disguise can trick even careful users.

Additionally, this new variant is rather powerful and uses advanced anti-debugging techniques to prevent reversing engineering, as well as different types of encryption for files and strings. The malware also uses some open-sourced Android root exploit tools and the MTK root scheme from dashi root tool to gain root access on the Android device. The root exploits can be downloaded from a remote http server. It’s also easy for the developer to update the root scheme of this malware and extend its functionality. Finally, after successfully gaining root privileges on the device, the rootnik malware can perform a variety of malicious operations, including app and ad promotion, silent app installation, and pushing notifications and sending SMS messages, etc. 

Appendix

Rootnik Malware Sample

Package Name:  net.gotsun.android.wifi_configuration

SHA256:  42e2e975edc9972c37bfc13742cd83e43eca3d708e5ea087a0a1fcaf63cbae09

Additional APK files dropped into system partition by Rootnik malware

Package Name: com.para.android.power

SHA256: 80e4c74758207df2cf495c4afcfb6aa7e8bd3b67443a7804f43ccc21f9d5b167

Package Name: com.facebook.application

SHA256: e512260cb90aa2bc915d53bd9003a0452a856c1e9694c023baf8de6bd6b7e2ae

Package Name: com.android.service.power.on

SHA256: 1a4534ce4b89bdace361ad6c26e75c06e44d95004a87e8ab990982d5f54c6135

Package Name: com.android.fk.json.tool

SHA256: 2d4caa4a5e26e2cfdb217d9d41c206746b5ff0c0a095d7c2e4858f233d6625c3

Package Name: com.fly.me.ssp.be

SHA256: e72e49fca9a0e3a6de8168f40fc9e4b28c8baf27d00a73127263541c7022cd71

Package Name: org.app.info.grate

SHA256: 9604f15fb36abf47566269b9c741bc41112dd66c4b06febf21980c2d6e581637

Package Name: com.android.tools.receiver

SHA256: 843603e582f0453acce0de8b9443c5a9e2c551ddbab7c9aa480ce44da47c5ab0

Package Name: com.android.upon.hash

SHA256: 6834bd13f87d6dbb67210838ec7c44e33bb65342091634d614a2868164089125

Package Name: com.setting.dysdtool

SHA256: e5f727bca0b9900bcc3124e9df6d83b32df1306acfaeb40551b2b47746a36959

Package Name: com.sang.you.mima.yuanhou

SHA256: 9f74ab6a92848fcc7861f9fc00b0db3260db0809bc16c519fbcdf644030c72a8

Package Name: com.music.cloud.app.player

SHA256: e48dfb52676a66ee83221fe517408e56dff1fbcf4ee2392d18a8aa31cdcedc9b

Package Name: com.android.shopping.eupdate

SHA256: 7a27c887c26e068ca28188574b6d731587360f24bcd03033b01e42afb16585e5

C2 Servers

api[.]gadmobs.com

t[.]eqqsl.com

t[.]pkqqsl.com

t[.]plsskq.com

t[.]wqctkq.com

gp[.]miaoxia123.com

sh[.]pencilli.com

down[.]zigyfdeb.com

down[.]smykttum.com

sys[.]appsolo.net

sys[.]gadmobs.com

sys[.]iappzone.net

sys[.]alowcar.com

The decryption program for the hard-coded method

The decryption program for the http request method

 

by RSS Kai Lu  |  Jul 09, 2017  |  Filed in: Security Research