Android.Rootcager – Kashif Ali

June 11, 2013

Linux Kernel Exploit Ported to Android

Malware authors are notorious for quickly leveraging new exploits in the public domain for nefarious purposes. The recent discovery of a Linux Kernel CVE-2013-2094 Local Privilege Escalation Vulnerability (CVE-2013-2094) in the Performance Counters for Linux (PCL)—currently being exploited on various platforms—has now been modified to work on the Android operating system.

For anyone unfamiliar with the Android operating system, it is based off the open source Linux operating system. This means that many of the discovered Linux kernel based vulnerabilities have the possibility of being exploited in Android devices. However, with different Android devices using different versions of the Linux kernel, only certain devices may be affected by a particular exploit.

Privilege escalation exploits are particularly dangerous as they can allow cybercriminals to gain complete control over the compromised device. The Android operating system normally sandboxes every application so they cannot perform sensitive system operations or interfere with other installed applications. In the past, we have seen malware use privilege escalation exploits to access data from other applications, prevent uninstall, hide themselves, and also bypass the Android permissions model to enable behaviors such as sending premium SMS messages without user authorization.

As we noted in a 2011 blog on Android.Rootcager, privilege escalation exploits are quickly incorporated into malware, so we expect to see Android malware incorporating this new privilege escalation exploit before too long.

Symantec will continue to monitor the threat landscape for the use of any exploits. Until a patch is made available for all Android devices affected by this exploit, and to avoid becoming a victim of malicious applications, we recommend that you only use reputable marketplaces for downloading and installing applications.

If you suspect that your Android device has been compromised in any way, be sure to download the latest update to Norton Mobile Security and perform a full scan.

July 10, 2012

Android Apps Get Hit with the Evil Twin Routine Part 2: Play It Again Spam

If you have not heard of this term yet, I guarantee you will in the months to come. The term is market spam. This is not a new term or an issue that affects one or two app stores; this is a systemic problem that impacts app stores at large, where spammers focus on getting around rules and screening processes of the app stores with the goal of making a quick buck. The goal of most market spam is to get to a mass audience in the shortest time possible and to prolong its presence on a device. Regardless of how it is done, the long term effect is monetary gains for the rogue publisher at some cost to the end user.

To increase the revenue earning potential, the app developer has to maximize the length of time that they have access to a user device. There are several strategies to achieve this, which include:

Keep an app on a device for as long as possible.

Get several apps from the same developer to transit through a device as a result of suggestive download recommendations. Many apps (particularly free ones) often suggest further downloads of other apps from the same developer. Essentially this has the same effect as an extended stay from a single app.

Without strategies to extend the life of the app on the device, the window of opportunity for a market spammer to make serious money is short-lived.

To better understand the effects of these strategies, let’s look at an example of two incidents recently identified. The incidents involved two different apps using two different publisher IDs. Both were published around the same date on Google Play (June 23 or 24). The first app was a traditional smash-and-grab type malware—a Trojan that sends SMS messages to premium rate numbers. We detect it as Android.Dropdialer. The second was a pirated emulator and ROM combination file that was Trojanized using several advertising SDKs, as well as additional functionalities to carry out the strategies mentioned earlier. We detect this second Trojan as Android.Fakeapp.

Coincidentally, both apps use the same theme of a popular game as the bait to lure users into downloading the app. Before being revoked from the app store, both apps achieved substantial download counts— between 50,000 to 100,000. Looking at which app has the potential to earn the most revenue, Android.Dropdialer appears to be an obvious choice but, in this case, the obvious choice is an incorrect one.

This becomes apparent after delving deeper into Android.Fakeapp. After installation, Android.Fakeapp would display a notification to the user to download other apps from the same market spammer. This causes the number of apps on devices using the same underlying revenue generation functionality to grow.

A review of the past activities of the rogue market spammer behind Android.Fakeapp shows that since mid-May this is their fifth attempt to publish the same app using a new publisher ID each time. Despite the fact that the apps were immediately suspended on Google Play, our telemetry data has shown that the constant stream of new downloads resulting from users tapping on the download suggestions in the app, has resulted in a steadily growing user base.

The functionality of Android.Fakeapp is summarized as follows:

70 percent of the app code is devoted to a combination of multiple advertising SDKs which remove or disregard any user consent requirements. There are also additional functionalities to display app suggestions for download and install.
10 percent of the app code is devoted to a notification module.
10 percent of the app code is devoted to a social spamming module.
10 percent of the app code makes up the core (yep, that's all), which is what the user believes was installed.

Symantec has been tracking quite a few of these cases this year. The case involving Android.Fakeapp shows signs of incremental evolution in the attacks resulting from trial-and-error efforts by the publisher who has made attempts to test for weakness in app market screening processes. Apps able to pass app market screenings are released onto the unsuspecting public. The key success factor for market spammers is to translate best practices they have learned into a pseudo framework as quickly as possible.

It should come as no surprise that several high profile threat families discovered last year such as Android.Rootcager or Droid Dreams are text book examples of market spammers at work. Typical practices include not only using multiple apps, but also using multiple publisher IDs to spread the risk. Despite the fact that Android.Lightdd, the follow-up to Android.Rootcager, was also distributed by spammers on Google Play, it did not gain as much traction as its predecessor. In many ways this threat was ahead of its time as it embodies many of the techniques that are in fashion with market spammers, notably the decrease in the use of root exploits.

To be continued in Part 3.

March 9, 2011

Android.Bgserv Found on Fake Google Security Patch

On March 6,2011, Google published the application “Android Market Security Tool”, a tool designed to undo the side effects caused by Android.Rootcager. This application was automatically pushed to devices of users who had downloaded and installed infected applications.

Symantec has identified suspicious code within a repackaged version of the “Android Market Security Tool”. This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages if instructed by a command-and-control server located at the following address:

hxxp://www.youlubg.com:81/Coop/request3.php

Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License:

http://code.google.com/p/mmsbg/

Here are a few snippets taken from Google’s hosted project:

We have added detection for the trojanized version of Google’s application as Android.Bgserv.

March 2, 2011

New Android Threat Gives Phone a Root Canal

Malicious authors have taken a variety of popular free apps from the official Android market and bundled them with malware capable of rooting the phone, harvesting data, or opening a backdoor. We have been seeing a lot of this as of late—threats like Android.Geimini and Android.Pjapps—where the authors release them on unofficial Android marketplaces.

Apparently some malicious authors where not satisfied just sticking with this routine. We have become aware of a selection of malicious applications following this trend; however, they are available on the official Android Market. The applications in question are popular free apps, bundled with malware, that have then been republished in the official marketplace under different application and publisher names. According to sources, 50,000 to 200,000 downloads took place within a four-day time frame that the apps were made available. Google has taken action and has removed these apps from the official Android marketplace.

The Android Packages (.apk) include the file "rageagainstthecage", which is a tool commonly used to root the phone. In legitimate circumstances, this file can be used by the owner of the phone to acquire administrative rights on his or her phone. In this case, rooting the phone can allow the malware we call Android.Rootcager to perform more than the usual activities (e.g. taking screenshots) not commonly allowed on Android phones.

Android.Rootcager in particular roots the phone without user consent to perform various activities. DownloadProvidersManager.apk is dropped by the malware to monitor installed applications and download additional packages of code as a background service. The malware also attempts to record IMEI and IMSI numbers, which are used to identify mobile phones, and upload the data to an external website.

The following is a list of potentially affected apps, so users may want to check if these are installed on their Android phone:

Publisher:
kingmall2010
Apps:

掷骰子 Version 2.4.1
多彩绘画 Version 1.2
Advanced App to SD Version 1.0.1
Magic Strobe Light Version 1.0.1
Advanced Compass Leveler Version 1.1.1
Super Stopwatch & Timer Version 4.3
Sexy Legs Version 1.0.01
Sexy Girls: Japanese Version 1.0
Bowling Time Version 1.8
软件强力卸载 Version 4.2
Music Box Version 2.5
Best password safe Version 1.0.5
墨水坦克Panzer Panic Version 1.0.0
裸奔先生Mr. Runner Version 1.0
Hot Sexy Girls Version 1.0
Super sex sound Version 1.3
致命绝色美腿 Version 1.0.01
Super Bluetooth Transfer Version 2.30.1
Advanced File Manager Version 1.1.0
Advanced Barcode Scanner Version 1.0.1
Task Killer Pro Version 1.0.1

Publisher:
myournet
Apps:

Spider Man Version 1.29
蜘蛛侠 Version 1.29
Funny Paint Version 1.2
Dice Roller Version 2.4.1
躲避弹球 Version 2.0.9
Falling Ball Dodge Version 2.0.9
Photo Editor Version 3.1.1
Chess Version 2.6.1
APP Uninstaller Version 1.6.0
几何战机_PewPew Version 1.5.3
下坠滚球_Falldown Version 1.0
Falling Down Version 1.0
Screaming Sexy Japanese Girls Version 1.0
Hot Sexy Videos Version 0.1.10
Super History Eraser Version 1.0.1
Super Ringtone Maker Version 1.0.1
Hilton Sex Sound Version 2.1.1
Scientific Calculator Version 1.4.2
Super Guitar Solo Version 1.0.1
Super Sex Positions Version 1.0
Advanced Currency Converter Version 1.0.1

Publisher:
we20090202
Apps:

Basketball Shot Now Version 1.4.0
Omok - Five in a Row Version 3.1.1
Super Sexy Ringtones Version 3.1.4
手指赛跑 Finger Race Version 1.4.5
Magic Hypnotic Spiral Version 2.0.0
Quick Notes Version 2.1.1
投篮高手 Version 1.4.0
Quick Delete Contacts Version 1.0
Advanced Sound Manager Version 2.0.0
Color Blindness Test Version 2.1.1

If users feel that they may have installed one of these apps, they should also check com.android.providers.downloadsmanager (DownloadManageService) in the “running services“ settings of the phone, as shown in the screenshot below.

Thanks goes out to Justin Case at Android Police and my colleague Irfan Asrar for their assistance.

M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31