FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.FakeUpdates.1.origin

Added to the Dr.Web virus database: 2017-06-08

Virus description added:

Android.FakeUpdates.1.origin
  • SHA1: ac633643a7130c5ced5672841dbc91ff92737ae6

Description

Android.FakeUpdates.1.origin is a trojan embedded into the system application responsible for Over-the-Air (OTA) firmware updates in some Android devices. This particular sample is built into the /system/priv-app/ThirdPartyFOTA.apk (com.fota.wirelessupdate) application, while there are also modifications built into other programs.

Android.FakeUpdates.1.origin executes various Lua scripts that it then uses to download and install other software without user notice.

The trojan is disguised as com.google.android.gcm library and has a com.google.android.gcm.GCMBaseIntentService malicious service. In this case, the attackers utilized particular names of the package and a class from the Google Cloud Messaging SDK platform, which is now obsolete and was replaced by the Firebase Cloud Messaging platform.

Operating routine

The Android.FakeUpdates.1.origin has the following broadcast receiver:


  <receiver android:name="com.google.android.gcm.GCMBroadcastReceiver">
      <intent-filter android:priority="1000000">
          <action android:name="android.intent.action.BOOT_COMPLETED"/>
          <action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
          <action android:name="android.intent.action.TIMEZONE_CHANGED"/>
          <action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
          <action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
          <action android:name="com.google.android.gcm.action"/>
      </intent-filter>
  </receiver>

When the system events specified in it occur, an android.app.AlarmManager class is used to set a task to launch the com.google.android.gcm.GCMBaseIntentService trojan service once per hour.

When the GCMBaseIntentService service is created, binary Lua files are unpacked from the license_01 or license_03 archives. The archive from which the files are to be extracted is selected according to the infected device’s CPU architecture:

CPU architecture The extracted file
Armeabi license_01
armeabi-v7a license_01
arm64-v8a license_03
x86 license_01
x86_64 license_03

Upon the service’s launch, the BootEntry() function is called from the boot trojan script. With that, in order to execute Lua scripts, a luajava instrument is used. It allows them to use Java classes and access the Android API.

A program implemented in Lua language periodically connects to the following C&C servers: :

  • hxxp[:]//statistics[.]flurrydata[.]com
  • hxxp[:]//106[.]184.5.78

Also, there is a third server address, which is generated based on the current date:

  • "http://boot.b" + md5("202207")[1:8] + ".net"

The 202207 parameter in this case is compiled from the current year and month values.

Thus, if access to other servers is lost, Android.FakeUpdates.1.origin will be able to automatically connect to new domain names registered by malicious actors.

The first request to the C&C server has an action="check" parameter. In this request, various information is sent, including the unique trojan ID, as well as the value of its environment variables (working directories, the configuration, the versions of the boot and worker scripts, the com.google.android.gcm malicious package version, the Android SDK version, etc).

In response, Android.FakeUpdates.1.origin receives the following commands:

  • register
  • upgrade
  • info

The “register” command

The trojan receives the user UID and its configuration..

The “upgrade” command

The trojan downloads from the C&C server and then unpacks a ZIP archive containing binary Lua scripts. The main script typically has the name worker. Once downloaded successfully, they are called from the boot script. With that, worker.WorkerEntry() is called from the BootEntry() function, and worker.WorkerStart() is called from the BootStart() function. During our analysis, we detected scripts that were installing and uninstalling apps with the help of the pm install -r and pm uninstall commands.

The “info” command

The trojan sends detailed information about the infected device, including the mobile phone number, to the C&C server:

  • PhoneType—the type of mobile phone (GSM, CDMA, SIP или NONE);
  • DeviceID—the device’s IMEI;
  • PhoneNumber—the mobile phone number;
  • NetworkCountry—the country ID;
  • NetworkOperatorName—the name of the service provider;
  • NetworkType—the mobile network type;
  • SimCountry—the country the particular SIM belongs to;
  • SimName—Service provider Name, or SPN, and (SPN, Service provider Name);
  • SimNumber—SIM card serial number, if available.

Also, the fields of the android.os.Build class are sent:

  • MODEL—device model name;
  • DISPLAY—the ID of the operating system build;
  • TIME—the time of the operating system build’s creation;
  • ID—the label or the change list number;
  • BOARD—the device’s motherboard name;
  • BOOTLOADER—the version of the operating system bootloader;
  • BRAND—the device’s brand name;
  • DEVICE—the device’s industrial design name;
  • HARDWARE—the name of the hardware platform;
  • MANUFACTURER—the device’s manufacturer;
  • PRODUCT—the product name;
  • VERSION.RELEASE—the version of the operating system;
  • VERSION.CODENAME—the codename of the operating system, and;
  • VERSION.SDK_INT—the SDK version of the OS.

How the non-malicious part of the application operates

The program’s non-malicious portion, which is responsible for the firmware update, receives the required URLs from the GCMBaseIntentService.readFotaConfig(this) method. This method calls the BootReadFotaConfig function from the boot trojan script.

The downloaded updates are installed both via the corresponding RecoverySystem.installPackage() method of the Android OS and using the pm install command. The latter can also be used to install and uninstall individual programs.

Because the URLs are retrieved from the trojan component of the application, malware can also be downloaded in addition to firmware updates.

The known addresses to which the application connects in order to receive firmware updates are as follows:

  • hxxp[:]//app[.]fota.digitimetech[.]com
  • hxxp[:]//s1[.]fotaservice[.]com
  • hxxp[:]//112[.]124.58.101

Indicators of compromise

News about the trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies