Posted: 3 Min Read Threat Intelligence

Android Malware Toolkit Poses as Porn Apps Targeting Chinese-speaking Users

Symantec has discovered a malicious toolkit disguised as porn apps available on app-centric sites, forums, torrent sites, and popular social networks.

We recently discovered a malicious toolkit (detected as Android.Rootnik.B) masquerading as pornographic apps in the thousands, which are primarily targeted at Chinese-speaking users. This toolkit has a broad range of capabilities, including:

  • Rooting Android devices
  • Injecting malicious code into legitimate apps
  • Subscribing to premium services and sending premium messages
  • Silently downloading/installing risky apps

The apps find their way onto devices via app-centric websites, forums, and torrent sites. These can also spread over popular social messaging networks.

Figure 1. Samples of malicious porn app ads found on Chinese websites
Figure 1. Samples of malicious porn app ads found on Chinese websites

Infection vector

This malware hides its primary malicious payload in a fake .tiff image in the resources of the application. The payload downloads other malicious components from a set of helper web servers. The malware sets immutable flags (a technique laid out in a previous blog) to protect the files from being deleted by a savvy user or an antivirus application.

The threat also attempts to replace debuggerd, a key service that enables it to survive cleaning attempts by antivirus applications, or even more aggressive cleaning measures such as a factory reset.

Rooting workflow

The malware decrypts and dynamically loads the hidden payload (detected as Android.Reputation.1). It decrypts the following command and control (C&C) URLs and queries them to get root-relevant configurations:

  • http://gr.[REMOVED].pw:[REMOVED]/kitmain.aspx
  • http://gr.[REMOVED].top:[REMOVED] /kitmain.aspx
  • http://43.[REMOVED].68.193:[REMOVED]/kitmain.aspx
  • http://nr.[REMOVED].com:[REMOVED]/kitmain.aspx
  • http://nr.[REMOVED].com:[REMOVED]/kitmain.aspx

The following is a sample response that tells the malware where to download the rootkits, when to start a root attempt, how many retry attempts to make if the attempt fails, and the metadata for the rootkit itself:

Figure 2. Sample response from C&C servers
Figure 2. Sample response from C&C servers

Malware injection mechanisms

After gaining root privileges, the malware selects a good candidate process (such as a system process or an app-store process) into which it can inject malicious code.

The injected code launches a UNIX domain server socket, and listens for commands to trigger methods. Any malicious client entity (an app on the device) can now command the infected process to carry out malicious activities on its behalf, including sending premium-rate messages.

Other capabilities

The malware also silently downloads and installs a known malicious app named ister59.apk (detected as Android.Reputation.3) from the following URL:

  • http://1jope[REMOVED].com/ister59.apk?attname[REMOVED]1508999147941

It can download and dynamically load other payloads from the following URLs without the user’s consent:

  • http://vpay.[REMOVED].eerichina.com/[REMOVED]/19c32fb8ebc57b6e.jar
  • http://120.[REMOVED].154.102:[REMOVED]/plugin_VA5.1.1.jar

Moreover, it subscribes to premium services and sends premium text messages. It requests ads and pushes other malicious apps.

Affected platform versions

All devices with Android API level 8 (2.2) or greater are affected.

Even if some devices with higher platform versions cannot be rooted, the malware still sends premium-rate messages. In this case, the malware falls back to premium-rate scamming, as it cannot inject or install malware.

Furthermore, the malware code is highly modularized, which means it can be easily repackaged into any other popular apps. In addition, the malware is protected by a private packer, as outlined in a previous post. The malicious code is obfuscated and the key strings are encrypted, thwarting base-level forms of static analysis and detection.

Mitigation

Symantec recommends mobile users observe the following security best practices:

  • Keep your software up to date.
  • Refrain from downloading apps from unfamiliar sites.
  • Only install apps from trusted sources.
  • Pay close attention to the permissions requested by an app.
  • Install a suitable mobile security app, such as Norton, in order to protect your device and data.
  • Make frequent backups of important data. 

Protection

Symantec and Norton products detect the malware as well as related threats discussed in this blog as the following:

About the Author

Martin Zhang

Princ Software Engineer

Martin is a member of Symantec’s Security Technology and Response team who are focused on providing round-the-clock protection against current and future cyber threats.

About the Author

Shaun Aimoto

Technical Product Owner

Shaun is a member of Symantec’s Security Technology and Response team where he is focused on security research, and innovation on mobile platforms.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.