SHA1: 14215a93ed5d0a86f31aab0b2d7be6db8a45a371
Description
Android.Pandora.2 is a backdoor trojan designed to target Android devices. Its main functionality includes carrying out DDoS attacks and executing remote commands on a victim's device.
Operating routine
The Android.Pandora.2 malicious program was discovered during an investigation into cases of infection occurring in the system partition of an Android TV box model. The infection itself presumably occurred via an unpatched Android OS vulnerability exploitation.
The backdoor is installed into the system storage area with a number of additional components. During the infection analysis, the following files were identified:
- /system/bin/pandoraspearrk;
- /system/bin/supervisord;
- /system/bin/rootsudaemon.sh (in some cases, the preinstall.sh file can be installed, instead of the rootsudaemon.sh);
- /system/bin/s.conf;
- /system/xbin/busybox;
- /system/bin/curl.
The file pandoraspearrk is itself an Android.Pandora.2 trojan.
The file supervisoid is a supervisor tool that monitors the status of the targeted executable and launches it again if its operation was terminated. In this particular case, it monitors the backdoor’s status, and it uses the configuration from the s.conf file.
The busybox and curl files represent the non-malicious instruments BusyBox (a set of UNIX tools of various functionality) and curl (a utility for transferring data via different network protocols).
The rootsudaemon.sh and preinstall.sh files are scripts. The former launches the supervisoid file with root privileges and has the structure shown below:
#!/system/bin/sh
/system/xbin/daemonsu --auto-daemon &
/system/bin/supervisord -c /system/bin/s.conf &
The latter creates a number of directories, installs APK packets, and launches the supervisoid file. It has the following structure.
#!/system/bin/sh
MARK=/sdcard/symbol_thirdpart_apks_installed
PKGS=/system/preinstall/
MARK1=/data/local/symbol_xbmc_file_coped
ANDROID_DIR=/sdcard/Android
DATA_DIR=/sdcard/Android/data
if [ ! -e $MARK ]; then
echo "booting the first time, so pre-install some APKs."
busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;
touch $MARK
echo "OK, installation complete."
fi
if [ ! -e $MARK1 ]; then
echo "booting the first time, so pre-install some APKs."
echo "lml in kodi.sh22!!!"
if [ ! -e $ANDROID_DIR ];then
echo "no android dir ,we need make android dir first."
log -t cw "lml in kodi.sh33!!!"
busybox mkdir /sdcard/Android
fi
log -t cw "lml in kodi.sh44!!!"
if [ ! -e $DATA_DIR ];then
echo "no android dir ,we need make data dir first."
log -t cw "lml in kodi.sh55!!!"
busybox mkdir /sdcard/Android/data
fi
log -t cw "lml in kodi.sh66!!!"
rm /sdcard/Android/data/org.xbmc.kodi/ -rf
busybox unzip -o /system/media/org.xbmc.kodi.zip -d /sdcard/Android/data/
touch $MARK1
echo "OK, installation complete."
fi
/system/bin/supervisord -c /system/bin/s.conf &
In particular, it installs Kodi® media center (org.xbmc.kodi), a media center app for Android TV.
Interaction with the C&C server
To connect to the C&C server, the backdoor reads its address from the command-line parameters or from the /data/.ms file, which has been encrypted with a Blowfish algorithm, or it uses a built-in list:
- ok3[.]mflve[.]com
- pcn[.]panddna[.]com
- apz[.]bsaldo[.]com
- abcr[.]ftsym1[.]com
Next, it verifies whether the /htv and /koocan directories are present. These directories are subsequently used to store a copy of the new version of the backdoor when the self-update command is executed.
The trojan connects to the server on the received address and forms a string with an id, as shown below:
1000@12.00-00.00-10000000@0002@
At the same time, the numerical contents of this line may vary, depending on whether the trojan has obtained access to /dev/block/hide, /dev/block/mtdblock5, or /dev/block/mtdblock4, and has gotten the particular data from there.
The resulting string is encoded with a Blowfish algorithm, using a zAw2xidjP3eHQ key; converted into a modified Base64; and transferred to the C&C server. In response, Android.Pandora.2 receives a command.
Commands executed
Commands received by the backdoor are sent in the <...>@<a command>@<an argument #1>@<an argument #2>@... format.
| Command | Name | Aruments | Description |
|---|---|---|---|
| 11 | addns | tmpdnsip, tmpdns | To add a record into /etc/hosts. |
| 12 | del_dns | host | To remove a record from /etc/hosts. |
| 21 | URL | To perform an auto update of the trojan app. | |
| 31 | syn | host (and optionally a network port) | To execute a DDoS attack on a targeted host through port 80, or through the port listed in the command’s arguments. |
| 32 | udp | host | To execute a DDoS attack via the UDP protocol. |
| 33 | icmp | host | To execute a DDoS attack via the ICMP protocol. |
| 34 | mix | host | To execute a DDoS attack via the ICMP, UDP, and SYN protocols simultaneously. |
| 35 | smurf | host | To execute a DDoS attack via the ICMP protocol. |
| 36 | tagr3 | host (an IP address or a host name) | To execute a DDoS attack. |
| 37 | сс | Unknown | To start a thread to execute a commanded task. |
| 38 | dnsflood | Unknown | To execute a DNS Query Flood-type attack. |
| 88 | shell | host, port | To open a Reverse Shell to host:port (or to /system/bin/sh, or to ksh). |
| 110 | stopall | To stop all processes performing DDoS attacks (for each DDoS attack command received, 50 processes are created by default). | |
| 3000 | lbs | Unknown, IP | To write a C&C server address into /data/.ms and connect to this server. |
| 5000 | URL | To write a C&C server address into /data/.ms. | |
| 5555 | Unknown | To update a С&C server address in /data/.ms. | |
| 6269 | A command | To mount the /system partition in rw mode, to execute a command, to write the command output into the log, to mount the /system partition in ro mode. |
Substitution of the /etc/hosts
Upon connecting to the C&C server, Android.Pandora.2 receives a link for downloading the hosts file the attackers need. This file is encoded with a Blowfish algorithm and encoded with a modified Base64.
The backdoor decrypts this hosts file and then uses it to replace the original system file located in /etc/hosts.
