- SHA1: ac633643a7130c5ced5672841dbc91ff92737ae6
Description
Android.FakeUpdates.1.origin is a trojan embedded into the system application responsible for Over-the-Air (OTA) firmware updates in some Android devices. This particular sample is built into the /system/priv-app/ThirdPartyFOTA.apk (com.fota.wirelessupdate) application, while there are also modifications built into other programs.
Android.FakeUpdates.1.origin executes various Lua scripts that it then uses to download and install other software without user notice.
The trojan is disguised as com.google.android.gcm library and has a com.google.android.gcm.GCMBaseIntentService malicious service. In this case, the attackers utilized particular names of the package and a class from the Google Cloud Messaging SDK platform, which is now obsolete and was replaced by the Firebase Cloud Messaging platform.
Operating routine
The Android.FakeUpdates.1.origin has the following broadcast receiver:
<receiver android:name="com.google.android.gcm.GCMBroadcastReceiver">
<intent-filter android:priority="1000000">
<action android:name="android.intent.action.BOOT_COMPLETED"/>
<action android:name="android.net.conn.CONNECTIVITY_CHANGE"/>
<action android:name="android.intent.action.TIMEZONE_CHANGED"/>
<action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
<action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
<action android:name="com.google.android.gcm.action"/>
</intent-filter>
</receiver>
When the system events specified in it occur, an android.app.AlarmManager class is used to set a task to launch the com.google.android.gcm.GCMBaseIntentService trojan service once per hour.
When the GCMBaseIntentService service is created, binary Lua files are unpacked from the license_01 or license_03 archives. The archive from which the files are to be extracted is selected according to the infected device’s CPU architecture:
| CPU architecture | The extracted file |
|---|---|
| Armeabi | license_01 |
| armeabi-v7a | license_01 |
| arm64-v8a | license_03 |
| x86 | license_01 |
| x86_64 | license_03 |
Upon the service’s launch, the BootEntry() function is called from the boot trojan script. With that, in order to execute Lua scripts, a luajava instrument is used. It allows them to use Java classes and access the Android API.
A program implemented in Lua language periodically connects to the following C&C servers: :
- hxxp[:]//statistics[.]flurrydata[.]com
- hxxp[:]//106[.]184.5.78
Also, there is a third server address, which is generated based on the current date:
- "http://boot.b" + md5("202207")[1:8] + ".net"
The 202207 parameter in this case is compiled from the current year and month values.
Thus, if access to other servers is lost, Android.FakeUpdates.1.origin will be able to automatically connect to new domain names registered by malicious actors.
The first request to the C&C server has an action="check" parameter. In this request, various information is sent, including the unique trojan ID, as well as the value of its environment variables (working directories, the configuration, the versions of the boot and worker scripts, the com.google.android.gcm malicious package version, the Android SDK version, etc).
In response, Android.FakeUpdates.1.origin receives the following commands:
- register
- upgrade
- info
The “register” command
The trojan receives the user UID and its configuration..
The “upgrade” command
The trojan downloads from the C&C server and then unpacks a ZIP archive containing binary Lua scripts. The main script typically has the name worker. Once downloaded successfully, they are called from the boot script. With that, worker.WorkerEntry() is called from the BootEntry() function, and worker.WorkerStart() is called from the BootStart() function. During our analysis, we detected scripts that were installing and uninstalling apps with the help of the pm install -r and pm uninstall commands.
The “info” command
The trojan sends detailed information about the infected device, including the mobile phone number, to the C&C server:
- PhoneType—the type of mobile phone (GSM, CDMA, SIP или NONE);
- DeviceID—the device’s IMEI;
- PhoneNumber—the mobile phone number;
- NetworkCountry—the country ID;
- NetworkOperatorName—the name of the service provider;
- NetworkType—the mobile network type;
- SimCountry—the country the particular SIM belongs to;
- SimName—Service provider Name, or SPN, and (SPN, Service provider Name);
- SimNumber—SIM card serial number, if available.
Also, the fields of the android.os.Build class are sent:
- MODEL—device model name;
- DISPLAY—the ID of the operating system build;
- TIME—the time of the operating system build’s creation;
- ID—the label or the change list number;
- BOARD—the device’s motherboard name;
- BOOTLOADER—the version of the operating system bootloader;
- BRAND—the device’s brand name;
- DEVICE—the device’s industrial design name;
- HARDWARE—the name of the hardware platform;
- MANUFACTURER—the device’s manufacturer;
- PRODUCT—the product name;
- VERSION.RELEASE—the version of the operating system;
- VERSION.CODENAME—the codename of the operating system, and;
- VERSION.SDK_INT—the SDK version of the OS.
How the non-malicious part of the application operates
The program’s non-malicious portion, which is responsible for the firmware update, receives the required URLs from the GCMBaseIntentService.readFotaConfig(this) method. This method calls the BootReadFotaConfig function from the boot trojan script.
The downloaded updates are installed both via the corresponding RecoverySystem.installPackage() method of the Android OS and using the pm install command. The latter can also be used to install and uninstall individual programs.
Because the URLs are retrieved from the trojan component of the application, malware can also be downloaded in addition to firmware updates.
The known addresses to which the application connects in order to receive firmware updates are as follows:
- hxxp[:]//app[.]fota.digitimetech[.]com
- hxxp[:]//s1[.]fotaservice[.]com
- hxxp[:]//112[.]124.58.101
