Mobile devices bundled with malware?-白红宇

2015年09月11日 16:01 5666

When your purchase a mobile device, you expect the device to be free of digital threats, clear of virues, and otherwise safe to use. According to a, more than 20 smartphone models were identified to contain modified or manipulated versions of common apps such as Facebook:

Alps 2206
Alps 709
Alps 809T
Alps A24
Alps GQ2002
Alps H9001
Alps N3
Alps N9389
Alps PrimuxZeta
Alps ZP100
Andorid P8
ConCorde SmartPhone6500
DJC touchtalk
Huawei G510
IceFox Razor
ITOUCH
Lenovo S860
NoName S806i
SESONN N9500
SESONN P8
Star N8000
Star N9500
Xiaomi MI3
Xido X1111

What are we dealing with here?

The modified apps contained additional functions, making them potentially harmful or malicious. Examples of added behavior included:

Accessing the Internet

Acquire and send SMS content

Install apps

Access, store, and modify call data and data about the smartphone

Access the list of contacts

Obtain GPS location data, and other functions

By allowing the above listed behavior, a remote attacker could use the modified app to do any of the following:

Help obtain location information

Record phone calls

Make app store purchases

Initiate wire fraud

Send premium SMS messages, and a lot more

So far, there are two threat families involved with the G Data research:

Android.Trojan.Uupay

Android.Trojan.Andup

These malware families can include fake versions of Facebook, Twitter, Google Play Store, and other apps.

Grey Industry

This begs the question – how is malware installed on the mobile device? The answer may surprise you – “middle-men”. G Data offers that the logical explanation to getting malware installed is the use of middle men that write apps to the firmware, or device ROM.

In China, some low-end mobile devices are sold at a low cost. The device manufacture makes money not only from the consumer, but also from developers – the developers pay manufacturers to install their apps. This practice illustrates a “grey industry” in China.

Customized ROM (firmware) is not difficult to acquire. Also, in order to take advantage of the financial gains involved in distributing malware via the grey industry, some companies dump the ROM from an official device, add or modify the apps in the ROM, then burn a new ROM to the device. The ROM can be distributed on forums as well. This could prove enticing to a consumer that searches the Internet for the newest “features” and “updates” for their device.

Analysis

We took a look at a sample of the malware Andup to learn more about its behavior. The sample we analyzed was a modified version of the social app Facebook. It included other features not found in the official version, for example, to take a record of which applications are currently installed on the device. The trojan contains another function to download and install 3rd party apps via a command & control mode.

One major hint that the app wasn’t legit was the developer’s certificate indicated it is not from Facebook, but from a company called “易连汇通”, or ElinkTek. This company is known to produce low-end Android tablets based on MTK resolution (1280 x 800).

The following is an example of permissions requested by Uupay:

android.permission.GET_TASKS

android.permission.GET_PACKAGE_SIZE

android.permission.ISNTALL_PACKAGES

android.permission.DELETE_PACKAGES

android.permission.RESTART_PACKAGES

android.permission.RECEIVE_BOOT_COMPLETED

android.permission.INTERNET

android.permission.READ_PHONE_STATE

android.permission.ACCESS_NETWORK_STATE

android.permission.ACCESS_WIFI_STATE

android.permission.WRITE_EXTERNAL_STORAGE

android.permission.WRITE_SMS

android.permission.READ_SMS

android.permission.SEND_SMS

The UUPay Trojan supports the following actions:

Connect to remote servers s.fsptogo.com and s.kavgo.com

Silently download and install apps

Get Device ID info

Get browser history

Get logcat info and upload to a remote website

Support C&C

Identification

There were symptoms to help identify the various spyware and malware:

In almost every variant that the G DATA security experts have analyzed, the app has been poorly programmed and harbours an enormous security risk. Sensitive data are largely sent unencrypted or with a hardcoded key that can be easily decrypted. Thus, even other attackers can steal data or take control of the malware. In addition, none of the examined samples checks in advance whether it exchanges data with the correct server. In this case Man-in-the-middle-attacks could be easily implemented.

Mobile device owners might check their application manager occasionally to help identify if new applications were installed without consent.

Mitigation

We echo G Data’s recommendation that consumers research mobile devices prior to purchasing, and to install mobile security software. Some questions to consider prior to purchasing:

Does the seller of the mobile device offer support?

Have there been reports of unexpected behavior with the device?

With regard to the second question, examples of unexpected behavior can include extremely poor performance, a slow user interface, numerous advertisements, or the automatic installation of other apps. A quick Internet search on removing the Trojans manually, which is not recommended for the non-techie.

If you determine that your mobile device has been compromised, there are mainly two choices; contact the manufacturer for assistance on replacing the device ROM (firmware), or abandon using the compromised device.

We also give special thanks to G Data for their helpful contributions.

Reference:

http://blog.0xid.com/2015/09/mobile-devices-bundled-with-malware/

Credit：

0xID Labs, and Min (Spark) Zheng & Xun Di of Alibaba Mobile Security Team

本文来自合作伙伴“阿里聚安全”.