Android malware hides malicious code in a Library file (April 8, 2015)

By

Over the last few years there has been a steady rise in unique offensive techniques employed by Android malware to breach and infect a victim’s mobile device. This evolution is reflected on the defensive side as well with malware writers conjuring clever ways to evade anti-virus engines thereby protecting their creations while allowing them to infect and spread. Dell SonicWall Threats Research Team analyzed one such malware that uses a novel defensive mechanism to shield itself from being detected while it infects a victim’s device and amasses sensitive data from it.

To understand the potency of this technique better, lets look at the contents of an generic Android application:

The classes.dex file has been one of the best places for analysis of malicious apk’s as it contains Java classes that contain malicious code. This file is present in dex format but using a decompiler one can gain access to the class files that may harbor malicious code. Unsurprisingly many anti-virus engines pick the classes.dex file and perform a static analysis over to judge if a sample is malicious. Recently a number of malicious samples started shipping some of their malicious components in library files that form part of the Android apk. These rogue applications would use the libraries once the entire application is installed on the device thereby distributing the malicious code over multiple places.

Raising the bar up a notch, there is a new Android malware that stores all the malicious contents onto a Unix library file stored in the lib folder as libTitaniumCore.so. This .so file is loaded as a native library by the classes from the classes.dex file. As a result, the classes.dex file by itself does not have malicious content, it simply refers to the content saved somewhere else. The figure below shows malicious code being exported from libTitaniumCore.so and being loaded as a library by the classes present in classes.dex file:

Infection Cycle:

During installation, the Android application package (apk) requests for the following permissions:

  • Receive Boot Completed
  • Receive SMS
  • Write SMS
  • Read SMS
  • Send SMS
  • Internet
  • Write External Storage
  • Read Phone State
  • Read Contacts
  • Write Contacts
  • Access Network State
  • Read Call Log
  • Write Call Log
  • Call Phone
  • Process Outgoing Calls
  • Broadcast Sticky
  • Wake Lock
  • Record Audio
  • Modify Audio Settings
  • Write Settings
  • Kill Background Processes
  • Access WiFi State

Once the apk is started on the device, it requests that the user grant it Device Administrator privileges. In doing so, the malware can be more stealthy in completing its operations. Next, it removes its icon from the application drawer but continues to run in the background with services praesunt and adipiscing as shown in the figure below:


Lets look at what the services do:

  • praesunt – Activates the MAINSTART feature along with the second service adipiscing
  • adipiscing – Activates the features MSGUPLOAD, VOCUPLOAD and SCRUPLOAD
  • pipeline – Starts the MAINSTART feature after every reboot, records and stores voice calls which are later sent to the server

The malware has a set of features that perform specific operations as listed below:

  • MAINSTART
    • Checks and starts the praesunt service thereby making sure the malware is active on the device
    • Captures sensitive user information such as Phone number, OS and MAC address

  • MSGUPLOAD
    • Collects SMS related data on the device and sends it to the server
  • VOCUPLOAD
    • Collects call related information on the device and sends it to the server
  • SCRUPLOAD
    • Monitors and sends status of the device screen which can be active (indicating that user is using the phone) or standby (indicating the phone might not be in active use)

The apk tries to set itself as the default SMS application, this enables it to silently access all the SMS functionalities on the device. Also, the apk tries to kill processes related to com.kakao.talk which is a Korean instant messaging application. Statistics point out that more than 93% mobile devices in SouthKorea have Kakao Talk installed on them thereby suggesting that this malware might have a specific target demography.

Overall this malware comes with a set of features that are aimed towards capturing sensitive user information, specifically with the help of SMS and calls performed from the device. The malware executes these operations in a stealthy way thanks to the device administrator privileges that a less careful user may grant. But the main highlight of this malware is its novel mechanism to hide its malicious functionality in the guise of a library file, which may escape the eyes of anti-virus engines and malware researchers.

This malware adds yet another new technique to the ever-expanding list of both offensive and defensive capabilities that are being introduced by malware writers for the Android ecosystem. More such devious mechanisms can be expected in future.

Dell SonicWALL blocks this threat via the following signature:

  • GAV: AndroidOS.Titanium (Trojan)

APK details:

  • Package Name: com.Titanium.Gloves
  • MD5: 40271c85ade6db263ce496cd51943518

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.