Library
My library

+ Add to library

Profile

Android.Triada.231

Added to the Dr.Web virus database: 2017-03-18

Virus description added:

SHA1:

  • 7ed01280dd254b063fecfdbf1da773df7738120a

A Trojan program for Android OS is embedded into the source code of the system library libandroid_runtime.so. In the method println_native of the class android.util.Log (core/jni/android_util_Log.cpp, platform/frameworks/base project), an additional request is added:


/*
 * In class android.util.Log:
 *  public static native int println_native(int buffer, int priority, String tag, String msg)
 */
extern "C" int xlogf_java_tag_is_on(const char *name, int level);
extern "C" int xlogf_java_xtag_is_on(const char *name, int level);
static jint android_util_Log_println_native(JNIEnv* env, jobject clazz,
        jint bufID, jint priority, jstring tagObj, jstring msgObj)
{
    const char* tag = NULL;
    const char* msg = NULL;
    if (msgObj == NULL) {
        jniThrowNullPointerException(env, "println needs a message");
        return -1;
    }
    if (bufID < 0 || bufID >= LOG_ID_MAX) {
        jniThrowNullPointerException(env, "bad bufID");
        return -1;
    }
    if (tagObj != NULL)
        tag = env->GetStringUTFChars(tagObj, NULL);
    msg = env->GetStringUTFChars(msgObj, NULL);
    int res = -1;
    int flag_m = 0;
    int count = 0;
    char new_tag[50];
    if (tag != NULL && (strncmp(tag, "@M_", 3) == 0)) {
        flag_m = 1;
        while(tag[count+3]) {
            new_tag[count] = tag[count+3];
            count++;
        }
        new_tag[count] = 0;
    }
#ifdef HAVE_XLOG_FEATURE
    if (flag_m == 1) {
        if (xlogf_java_xtag_is_on(new_tag, (android_LogPriority)priority)) {
            res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
        }
    } else if (xlogf_java_tag_is_on(tag, (android_LogPriority)priority)) {
      res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
    }
#else
    if (flag_m == 1) {
       res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
    } else {
       res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
    }
#endif
    // droi.zhanglin,20160901. add leagoo custom code
 /* qy start*/
 // TODO:渠道机型号
 __config_log_println(env,priority, tag, msg, "cf89490001");
 /* qy end*/
    if (tag != NULL)
        env->ReleaseStringUTFChars(tagObj, tag);
    env->ReleaseStringUTFChars(msgObj, msg);
    return res;
}

As a result, the specified function is called each time when an application on the infected mobile device makes a record to the system log.

Android.Triada.231 is launched for the first time when the function is called by the Zygote process. The Trojan decrypts data strings that it uses and checks the version of the operating system API and execution environment, in which it is launched. If it is a Dalvik virtual machine, Android.Triada.231 intercepts the method onCreate of the Application class in RAM, by patching the structure jmethodID corresponding to this method. The path is made an a way that it is marked as native. Then, the Trojan calls the class RegisterNatives.

Using the method java.lang.System.setProperty the malicious program changes the following system properties:

  • os.config.ppgl.dir - the name of the Trojan working directory (/data/configppgl for the Dalvik virtual machine and /sdcard/.SDAndroid for the ART virtual machine);
  • os.config.ppgl.version – parameter with value «1.3.3»;
  • os.config.ppgl.status – parameter with value «working»;
  • os.config.ppgl.cd – parameter send to Trojan function (in the described example it has value «M5 Plus Lte»).

Then, Android.Triada.231 creates its working directory.

Since when applications are launched, their processes are separated from the Zygote process, the Trojan code is automatically infiltrated into the processes of applications with the strings decrypted at the first launch of the Trojan and initialized variables.

In case Android.Triada.231 is executes on an ART virtual machine, the Trojan is not activated immediately after applications are launched, it is activated after an application makes a record to the system log. This is performed using the same function which virus writers embedded to the method println_native for initializing the Trojan.

Android.Triada.231 checks if its working directory contains the subdirectory, which name includes the value MD5of the infected process. It it finds this directory, the Trojan seeks files 32.mmd or 64.mmd (for 32-bit and 64-bit operating systems respectively). When it finds the required file, Android.Triada.231 decrypts it and saves as libcnfgp.so, then loads it to RAM using the method java.lang.System.load and deletes the decrypted copy from the device.

If the Trojan does not find the required file, the Trojan seeks the file 36.jmd, which is then decrypted and saved as mms-core.jar, then it is run using the class DexClassLoader and deleted.

As a result, Android.Triada.231 can embed malicious modules to application processes, which can perform various actions, for example, steal confidential information or change information displayed by attacked applications.

The Trojan also can extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. Android.Triada.231 loads this module to the process com.android.mms when it calls the method println_native. It is performed if the tag parameter of the method println_native is different from «DownloadManager» and «MmsSystemEventReceiver» and the Trojan function is called in the attacked process at least a third time.

News about the Trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android