This LuckyCat wont bring you any luck (September 14, 2012)

By

Dell Sonicwall UTM research team received reports of a new prevalent Android Backdoor Trojan spreading in the wild. The Trojan when executed reads and writes to the file system, sends device information to a remote server and opens a backdoor. The backdoor allows the attacker remote access to the device while remaining undetected, thus bypassing the whole security mechanism of the android device.

The application requests the following permissions from the user:

  • Read Phone State
  • Access Internet and WiFi State
  • Read owner Data
  • Write to external storage

Upon installation the application sits on the device as testService. When clicked the application simply displays a message “Service Start Ok” and it appears to the user as being idle but performs malicious activities in the background.

screenshot

Flow of the application
The flow of the applicaiton is as below:

screenshot

A brief explanation of each of the critical components is discussed below:

  1. Command and Control
    Among the components present in the code, two specific components give an indication of what the applicaiton does.

    screenshot

    CMainControl contains the configuration, logic and the rules of how the applicaiton behaves on the victims device. It contains the following C&C (Command and Control) commands:

    • AR_DIRBROSOW – Browse through the directories of the device
    • AR_FILEDOWNLOAD – Download a file from the device
    • AR_FILEUPLOAD – Upload a file on the device
    • AR_ONLINEREPORT – Send some sort of report to the C&C about the device
    • AR_REMOTESHELL – Spawn a remote shell which C&C can use to interact with the device

    It has the following hardcoded C&C domain and port:

    screenshot

  2. Reporting module
    The function mSendReport uses IP and phone number further in its reporting feature. This function adds a string ejsi2ksz into an array and appends the phone number and IP to it. Lastly it appends a number 369 at the end of this string.

    screenshot

  3. SIM state grabbing module
    The applicaiton can capture and send SIM related information; this can be seen in the code below:

    screenshot

    The table below translates the different states of the SIM which are identified

    screenshot

  4. Encryption mechanism
    The applicaiton uses an encryption mechanism to encrypt the communication between itself and the server. It performs XOR using two specific values 0x5 and 0x27.

    screenshot

Runtime behavior
When we run the application after installation we simply see a “Service Start Ok” message. However in the background the applicaiton connects to greenfuns.332.org at port number 54321 sends back information about the device and listens for commands which may be issued by the server.
We intercepted the information which is sent by the application to the server and is as below:

screenshot

Similar to what was discovered in the code, the applicaiton sends the phone number (15555215554) and the IP address (127.0.0.1) of the infected device. It appends the strings ejsi2ksz and 369 before and after the information.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV:Luckycat.A (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.