SHA1 hash:
- 1d5cb15e64612fcf35eaf8af5e5a3303a2a3258a (libcore64.jar)
Description
A trojan module that malicious actors embed into Android apps. For example, it was found in the firmware updating system app of the Elari Kidphone 4G smart watch. The module is used to collect and send confidential information to the C&C server and to receive and execute various commands.
Operating routine
The module represents a libcore64.jar file that is encrypted and stored in the application package of the main app. When the device is turned on for the first time, the trojan code (Android.DownLoader.3894) that is embedded into this app decrypts and launches the module. After that, whenever the device is powered on, as well as when the network connectivity is changed, the module is launched automatically.
Upon its launch, Android.DownLoader.812.origin connects to the C&C server at hxxp://mad[.]dwphonetest[.]com:58801/msg/pull with set time intervals. By default, the connection interval is 8 hours but it can be changed with the corresponding server command.
Upon successful connection, the trojan sends a request with the data to the C&C server. The transferred data is encrypted with base64 and can include:
- d0—version—trojan module version
- d1—session—an APP-REQ constant that is replaced by an s20 value
- d2—devid—device unique ID (IMEI for a GSM device or MEID or ESN for a CDMA device)
- d3—utdid—a unique UserTrack Device Identity
- d4—man—device manufacturer
- d5—mod—device model
- d6—osv—an OS version installed on the device
- d8—lang—OS default language
- d9—operator(mcc mnc)—mobile carrier ID (MCC+MNC)
- da—loc—geolocation data
- db—msisdn—mobile phone number
- dc—iccid—SIM ID
- dd—imsi—a unique ID of the mobile operator subscriber
- de—dldir—a default location of the directory to store files downloaded from the Internet (for the internal storage the value is set as data, and for SD card the value is set as sd);
- df—avaisize—free space of the internal storage available
- dg—totalsize—total amount of the internal storage
- c1—appid—an RSOTA_APP_ID value from the app’s metadata
- c2—carrier_pkgname—a package name of the app with embedded trojan
- c3—channel—an RSOTA_CHANNEL_ID value from the app’s metadata
- c4—carrier_version—an coreVersion value
- c5—silent—a parameter indicating if the app with the trojan module is a system app
- c6—capability—an 01|02|03|04|05|08 value;
- c7—stub_version—an agentVersion value.
In response, the trojan can receive the following commands:
- r2—cycle—to change C&C server connection intervals
- a0—applist—to receive parameters for downloading, launching and installing apps:
- a3—pkgname
- a5—appversion
- a20—versionCode
- a4—appname
- a6—brief
- a7—objecturi
- a8—objectsize
- a9—icon
- a10—start
- a11—type
- a12—action
- a13—class
- a14—extra
- a1—correlator
- a2—taskid
- a15—operation—to perform action in accordance with the specified parameter value:
- 1—to download and install an app
- 2—to download, install and run an app
- 3—to run specified app
- l0—link—to open a specified URL
- a21—caplist—to receive parameters for uninstalling apps, and for self-updating:
- a3—pkgname
- a1—correlator
- a2—taskid
- a7—objecturi
- a8—objectsize
- a5—appversion
- a15—operation — to perform an action in accordance with specified parameter value:
- 4—to uninstall specified app
- 8—to update the trojan module
Upon successful or failed task execution, the trojan connects to the C&C server at hxxp://mad[.]dwphonetest[.]com:58802/msg/post and sends a request with the task number and its status.
More details on Android.DownLoader.3894