Topic: Trojan Hides in ROM of Chinese Android Devices

[Pez]

Trojan Hides in ROM of Chinese Android Devices

In China, some mobile phone geeks like to refresh their Android machines with images from the Internet. For some mobile phone dealers, this makes good business. They can earn extra money from refreshing phone ROMs for those users who want to erase a lot of useless applications in the original ROMs.

However, making an Android ROM image is not very difficult, which makes refreshing Android devices dangerous. Once malware has been added to an image, it is hard to get rid of it.

Last week, McAfee Labs acquired a sample found in some Android images from China. Among other interesting behavior, it downloads JavaScript code from a control server, and runs the code within WebView. McAfee Labs detects this threat as Android/Huigezi.A.

Android/Huigezi.A runs at boot up, and when SMS messages come in and calls go out. It runs as a service in the background, and poses as a system service. Once started, it sets up a timer to restart itself every 30 minutes.



Malware “service” running in the background.

The malware sends sensitive information–IMEI, IMSI and OS version–to a remote server, and get a response string in JSON format. The string contains nonstandard Base64-encoded JavaScript code. The malware injects the code to a piece of HTML, and writes it to a file under “/data/data/com.android.systemservice/cache/webviewCache/” on the device. The filename is the integer value of the current time.



("click the images to make them larger")

Posting sensitive information to the control server.

The following image shows one of the HTML files being injected with the malicious encoded JavaScript.



HTML altered by the encoded JavaScript.

The decoded JavaScript:



Decoded JavaScript.

Android/Huigezi.A sets up the binding of classes with a JavaScript interface for the HTML, and loads the HTML in the WebView client. The functions in the dex file will be executed by the JavaScript in the HTML.



Adding a JavaScript interface.

The payloads of this malware depend on the JavaScript downloaded from the control server. According to its code, the malware can take the following actions:

  • Send SMS messages
  • Post sensitive information–IMEI, IMSI, device model name, phone number, carrier name–to remote server
  • Download some install packages and install them silently
  • Retrieve SMS messages and store them to a hash map
  • Set up SMS messages to be blocked
  • Download a dex file, and load the class in it
  • Create a shell for the remote server



Creating a shell.

Android/Huigezi.A is very different than other mobile Trojans. It is more flexible for hackers to launch attacks and harder for victims to become aware of its presence. Most important: It could hide in an Android image. Users probably need to refresh their ROM images, or get root privileges and uninstall the malware with command tools, not easy task for most people.


Original article: By Michael Zhang on Apr 02, 2014