Android Windseeker with injection and hooking mechanisms (Oct 3, 2014)
Instant messengers are a commonplace these days and it is quite normal to have an average of at least 3 instant messengers on a smartphone. Tencent has been emerging as a big player in the instant messaging market with QQ and WeChat dominating the Chinese market with staggering number of active users that range in millions. Due to the huge popularity of these messengers we have observed a number of services that claim to “monitor” QQ and WeChat activity of employees, spouse or anyone in general for a certain fee. Dell SonicWALL Threats Research team received reports of an Android Malware that does something similar, it spies the activity of QQ and WeChat messengers on the victims device and sends this information over to a server without the victims knowledge.
All the collected logs are transmitted to tin[removed].com where they can be viewed:
Infection Cycle
The Trojan asks for the following permissions during installation:
- Internet
- Write External Storage
- Get Tasks
- Write Settings
- Receive Boot Complete
- Read Phone State
- Access Network State
The app appears in the app drawer as wind seeker, upon clicking the app requests for root permission on the device. The app disappears from the app drawer a few moments after it is opened but it runs in the background via the service ProcessMonitor.
Owing to root privileges wind seeker is able to drop the following helper files from its assets folder to different folders on the device, these files aid it in monitoring QQ and Wechat messengers:
- competing_su dropped at /system/xbin/
- conn.jar dropped at /data/data/qy/
- libcall.so dropped at /system/lib/
- inject_appso dropped at /system/bin/
The code for competing_su contains a list of Chinese mobile based security apps, there have been instances in the past where Trojans have tried to disable/uninstall security apps present on the device. That did not happen for this case, however these security apps did deem wind seeker as malicious and advised us to remove it:
Ptrace system call can be used by one process to control and manipulate the execution of another process. DexClassLoader can be used by an Android application to dynamically load a jar package. This Trojan uses a combination of these two techniques to first inject libcall.so onto the messengers and then load conn.jar, which it previously dropped at /data/data/qy, through libcall.so .
Conn.jar contains majority of the code for Hooking onto the chat messengers and monitor chat messages in real-time:
During our analysis even though root permissions were given to the app it did not successfully transmit the stolen information, however we observed code to access Contact Information, send Chat History to the remote server, access QQ app database for additional information stored by the app among other things:
Overall this threat is tailored towards monitoring user activity related to QQ and WeChat messengers. Considering the usage of these messengers in general, there is a good probability that a high amount of sensitive/personal information is shared by them. Coupled with the fact that these messengers are installed on millions of devices, this is a very potent threat for the Android ecosystem.
The mechanism used by this threat can be related to a keylogger. The legality of a keylogger is often determined by the way in which it is used. Similarly it can be debated that tools which monitor messenger or other activity on a mobile device fall under the same category. At the end of the day it is the users responsibility to understand what an app will be doing before permissions are granted to it. This post further highlights the dangers of installing apps from non-market sources as well as rooting the mobile device. A rooted device can be tailored to our liking but it also opens the door for such malicious entities and other risks.
Dell SonicWALL Gateway Antivirus provides protection against this threat via the following signature:
- GAV: AndroidOS.Windseeker (Trojan)
- GAV: AndroidOS.Windseeker.Main (Trojan)
- GAV: AndroidOS.Windseeker.Conn (Trojan)
