10月28日, Lookout Threat Lab 宁静研讨职员发明了一系列 Android 歹意硬件,它们带有 root 权限,能完整掌握受传染的脚机等挪动装备。https://blog.lookout.com/lookout ... ng-malware-campaign
带 root 权限的 Android 歹意硬件正正在东山再起
Security researchers at the Lookout Threat Lab have identified a new rooting malware distributed on Google Play and prominent third-party stores such as the Amazon Appstore and the Samsung Galaxy Store. We named the malware “AbstractEmu” after its use of code abstraction and anti-emulation checks to avoid running while under analysis. A total of 19 related applications were uncovered, seven of which contain rooting functionality, including one on Play that had more than 10,000 downloads. To protect Android users, Google promptly removed the app as soon as we notified them of the malware. This is a significant discovery because widely-distributed malware with root capabilities have become rare over the past five years. As the Android ecosystem matures there are fewer exploits that affect a large number of devices, making them less useful for threat actors. While rare, rooting malware is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant themselves dangerous permissions or install additional malware — steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.
“Lite Launcher,” an app launcher replacement, is one of the AbstractEmu apps that appeared on Google Play. It had more than 10,000 downloads.
Who is the threat actor and what do they want?While we don’t know exactly who is behind AbstractEmu, we think the actors are a well-resourced group with financial motivation. Their code-base and evasion techniques — such as the use of burner emails, names, phone numbers and pseudonyms — are quite sophisticated. We also found parallels between the malware and banking trojans, such as the untargeted distribution of their apps and the permissions they seek.
AbstractEmu disguised itself as a number of different apps: including utility apps, such as password managers, and system tools like app launchers or data savers. From left to right: Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light, All Passwords, Phone Plus.
Indiscriminate targetingOne of the major clues as to the threat actors behind AbstractEmu is based on the widespread, untargeted distribution of the apps. Of the 19 apps we found related to the malware, most of them were disguised as utility apps such as password or money managers, and system tools like file managers and app launchers. All of them appeared to be functional to the users. This includes “Lite Launcher” which had more than 10,000 downloads before it was taken off Play. The types of vulnerabilities AbstractEmu takes advantage of also point to a goal of targeting as many users as possible, as very contemporary vulnerabilities from 2019 and 2020 are leveraged. One of the exploits used CVE-2020-0041, a vulnerability not previously seen exploited in the wild by Android apps. Another exploit targeted CVE-2020-0069, a vulnerability found in MediaTek chips used by dozens of smartphone manufacturers that have collectively sold millions of devices. As a hint to the threat actor’s technical abilities, they also modified publicly available exploit code for CVE-2019-2215 and CVE-2020-0041 in order to add support for more targets. The way the AbstractEmu threat actor distributes these apps is also indiscriminate. In addition to Google Play, Amazon Appstore and Samsung Galaxy Store, we found them on Aptoide, APKPure and other lesser known app stores and marketplaces. In terms of promotions, we uncovered advertisements on social media and Android-related forums. While most were written in English, we did find one instance where the malware was promoted in Vietnamese. Though our telemetry showed that people in the United States were the most impacted, people from a total of 17 countries were victimized by AbstractEmu. Parallels to banking trojansIn addition to the untargeted distribution of the app, the extensive permissions granted through root access align with other financially motivated threats we have observed before. This includes common permissions banking trojans request that provide them the ability to receive any two-factor authentication codes sent via SMS, or run in the background and launch phishing attacks. There are also permissions that allow for remote interactions with the device, such as capturing content on the screen and accessing accessibility services, which enables threat actors to interact with other apps on the device, including finance apps. Both of these are similar to the permissions requested by the Anatsa and Vultur malware families. Beyond these, Mandrake was another financially motivated threat which had extensive spyware capabilities similar to those seen with AbstractEmu. By having complete insight into the device and its activity, the actors can tailor their attacks to the specific target and increase the likelihood of success. Multilayer malicious flowThe threat actor behind AbstractEmu takes great lengths to ensure they evade detection — from the initial infection to the third stage of the infection. Each of the techniques aren’t unique on their own, but when deployed as part of a campaign they indicate just how well-resourced the threat actor is. AbstractEmu does not have any sophisticated zero-click remote exploit functionality used in advanced APT-style threats, it is activated simply by the user having opened the app. As the malware is disguised as functional apps, most users will likely interact with them shortly after downloading. Initial infection: anti-emulation and device inspectionBeyond the legitimate functionalities of the trojanized apps lies a series of steps taken to ensure AbstractEmu isn’t detected, which are activated as soon as the user opens the app. The first step is to check whether the infected device is a real device or is emulated. Similar to checks seen in an open source library EmulatorDetector, the malware will look at the device’s system properties, list of installed applications and filesystem. Once the device passes that initial analysis, the app will begin communicating with its command and control (C2) server via HTTP, expecting to receive a series of JSON commands to execute. Each app contains hard-coded commands that it supports. To decide which command to execute, the app will send a large amount of data to the C2 server, including both the commands it has support for, and device data such as the device’s manufacturer, model, version and serial number, telephone number and IP address.
To decide on what further actions to take, AbstractEmu apps send a large amount of data to the C2 server.
Other information AbstractEmu’s C2 server checks include whether the app has root access, which app was used to install the malicious app and whether the requested permissions and capabilities have been granted. In total we found four supported commands embedded within these apps, though not all of the apps offer the same capabilities.
We saw a total of four different types of JSON commands sent from AbstractEmu’s C2 server, which are listed above.
The rooting process: the heart of the malicious flowAt the center of AbstractEmu’s infection flow is getting root access to the Android device. By rooting the device, the malware is able to silently modify the device in ways that would otherwise require user interaction and access data of other apps on the device. To ensure the process goes smoothly, the apps are embedded with hidden, encoded files used during and after the rooting process — including exploit binaries targeting different vulnerabilities. By default, these binaries are executed in a specific order, although the C2 server can change that order based on how the device is configured.
By default, AbstractEmu malware attempts to execute these exploits in the order they are shown in this table. The C2 server can change that order based on the device’s configuration.
In addition to these binaries, the apps also contain three encoded shell scripts and two encoded binaries copied from Magisk that are used during and after the rooting process. Magisk is a tool that allows Android users to acquire root access on their devices. Two of the shell scripts are used to execute the exploit binary, gain root and then use elevated privileges to install the Magisk components for further root access. The newly installed Magisk components are used to execute the final shell script which first extracts an APK embedded in a binary to the device. Then the package manager is used to silently install a new app and grant it a number of intrusive permissions, such as access to contacts, call logs, SMS messages, location, camera and microphone. In addition, the app will modify settings to grant itself risky capabilities or reduce the device’s security. With these capabilities the app can be used to conduct phishing attacks and provide the actor with all the information needed for illicit access to user accounts.
The malware changes the device’s settings and grants itself risky permissions, both of which make the device easier to target.
The “Settings Storage” AppThe silently installed app is disguised as “Settings Storage” on the Android device. If the user tries to run the app, it will exit and open the legitimate settings app. The app itself does not contain any malicious functionality, which makes it harder to detect. Instead, it depends entirely on the files that its C2 server provides during execution. At the time of discovery, the threat actor behind AbstractEmu had already disabled the endpoints necessary to retrieve this additional payload from C2, which has prevented us from learning the ultimate aim of the attackers. Rare or not, always keep your OS up to dateWhile we weren’t able to discover the purpose of AbstractEmu, we gained valuable insights into a modern, mass distributed rooting malware campaign, which has become rare as the Android platform matures. Rooting Android or jailbreaking iOS devices are still the most invasive ways to fully compromise a mobile device. What we need to keep in mind — whether you’re an IT professional or a consumer — is that mobile devices are perfect tools for cyber criminals to exploit, as they have countless functionalities and hold an immense amount of sensitive data. To ensure you or your organization stay secure, we recommend diligently keeping your operating system up to date. Additionally, we recommend downloading apps from official stores only, as malware taken down from these stores may still be available elsewhere. Regardless of which store you use, always exercise caution when installing unknown apps. Of course, you should also have dedicated mobile security software to secure against all mobile threats, including phishing, OS and app vulnerabilities, malware and network threats.
Indicator of CompromiseAbstractEmu APKs
File hashes – Exploit Files
File hashes – Rooting Tools Network IOCs
研讨职员将歹意硬件定名为 “AbstractEmu” ,由于它利用了代码笼统战反仿实查抄,以免正在被阐发时运转。那些歹意硬件散布正在 Google Play 战其他第三圆市肆,如亚马逊使用市肆战三星 Galaxy 市肆等,今朝共发明 19 个“AbstractEmu” 相干的使用法式,此中 7 个包罗 root 功用,此中一个正在谷歌市肆的下载量超越 10,000。 AbstractEmu 的背后多是一个资本丰硕且有经济念头的团队,他们的代码库战躲避手艺十分庞大,并且操纵的破绽范例十分当代: - CVE-2020-0041:一个齐新的破绽,从前从已被用于歹意法式。
- CVE-2020-0069:正在联收科芯片中发明的破绽,或影响数百万台装备。
除间接操纵那两个破绽,歹意进犯者借自动修正了 CVE-2019-2215 战 CVE-2020-0041 公然破绽的代码,以撑持更多装备,那足以表白他们的手艺才能。 正在歹意硬件被发明的短工夫内乱,AbstractEmu 背后的进犯到场者曾经禁用了从歹意硬件到歹意效劳器的通讯端心,那使得硬件的泉源无从查证。 究竟上,已往五年中,具有 root 权限的歹意硬件变得很少睹,跟着 Android 死态体系的成生,影响大批硬件装备的破绽愈来愈少。但带 root 权限的歹意硬件影响力仍是十分惊人,由于进犯者能够得到装备的最下掌握权:下载并装置其他歹意硬件、传输文件大概会见其他使用的敏感数据,那对小我私家隐公战财富宁静皆是消灭性的冲击。 倡议年夜伙皆把本人的挪动装备体系晋级到最新版本,装置使用也只管正在民圆市肆下载,制止遭到歹意硬件的影响。
|
代码
1270 人阅读
|
0 人回复
