August 25, 2015

Recently, Doctor Web security researchers have detected and examined a new Android Trojan named Android.Backdoor.260.origin. This malicious program is distributed among Chinese users and is intended to spy on its victims. In particular, the Trojan can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.

Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices.

Android.Backdoor.260.origin has a rather complicated module architecture—that is, its main malicious features are implemented in special modules incorporated into the malware's software package. When launched for the first time, the Trojan extracts the following additional components:

• super,
• detect,
• liblocSDK4b.so,
• libnativeLoad.so,
• libPowerDetect.cy.so,
• 1.dat,
• libstay2.so,
• libsleep4.so,
• substrate_signed.apk,
• cInstall.

Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly.

Once all the modules are installed, Android.Backdoor.260.origin removes its shortcut created earlier and launches the malicious service called PowerDetectService. This service runs the malicious module with the name libnativeLoad.so, which has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate (detected by Dr.Web as Tool.Substrate.1.origin). In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users.

The libnativeLoad.so component runs the “detect” file (Android.BackDoor.45) that initiates the work of the binary 1.dat module (Android.BackDoor.44). This module, in turn, activates the libsleep4.so library (Android.BackDoor.46) that constantly takes screenshots and intercepts data entered by the user and the libstay2.so library (Android.BackDoor.43) whose purpose is to steal contact list data and monitor SMS messages and messages exchanged via QQ.

Moreover, the 1.dat component can receive a number of commands from the command and control server—among them are the following ones:

• DOW—download a file form the server
• UPL—upload a file to the server
• PLI, PDL, SDA—update malicious modules and settings
• DIR—get the list of files residing in the specified folder
• DTK—write the contents of the specified folder into a file
• OSC, STK—run a search for the specified file of folder
• OSF—abort the search of the specified file
• DEL—delete the specified file
• SCP—take a screenshot
• BGS—activate the microphone and start recording
• GPRS—start tracking GPS coordinates

It should be noted that while some commands are executed by the 1.dat module on its own, other commands are carried out with the help of other malicious libraries that closely communicate with each other through UNIX sockets using the following double-byte commands:

• 0x2633—start recording using the built-in microphone,
• 0x2634—stop recording,
• 0x2635—update the configuration file to record audio,
• 0x2629—copy the contact list,
• 0x2630—copy the contact list,
• 0x2631—copy SMS messages,
• 0x2632—copy the call log,
• 0x2628—forward information on the device's location to the server,
• 0x2532—forward information on the process name of the currently used application,
• 0x2678—upload the data entered by the user to the server.

Once again Doctor Web security researchers would like to warn users against installing applications downloaded from unreliable sources. Moreover, we would like to remind about the importance of protecting your mobile device with reliable anti-virus software. Signatures of Android.Backdoor.260.origin and its components have been added to Dr.Web virus database. Therefore, these malicious programs pose no threat to users of Dr.Web for Android.