- SHA1: c747a3a901f3076c504dc513bfcf64e8d29600ac (PrivteProvide.jar)
Description
Android.Backdoor.854.origin is a trojan application for Android-powered devices. It is a .DEX file placed into a .JAR archive. This archive is copied into the targeted apps’ directories by other trojans, particularly Android.BackDoor.3104. Android.Backdoor.854.origin’s main function is to download and launch additional malicious modules in the context of the targeted programs.
Operating routine
The com.androidx.v13.PrivteProvide.getInstance(String) entry point is used to start the trojan. When launched, at short time intervals it tries to obtain an instance of the android.app.Application class until it succeeds.
Android.Backdoor.854.origin creates the following subdirectories in the directories containing the files of the targeted apps:
- .cache/pt—encrypted plugin files are downloaded into this directory;
- .cache/pn—decrypted plugins are saved into this directory;
- .cache/pd—in this directory, the optimized versions of plugins are saved. They are created by the operating system after the original versions are loaded through the DexClassLoader class.
Next, the trojan launches the downloaded plugins from the pn directory. The plugins are received upon connecting to one of the C&C servers.
The connection with the C&C server
Android.Backdoor.854.origin sends a request to one of the assigned C&C servers, connecting to them in order, starting with the first one. If it is unable to establish a connection with the first server within 24 hours, the trojan proceeds to the next one. Information about the last successful connection is stored in the configuration file sp_brois_settings in the successTime variable.
The list of C&C server URLs is as follows:
- hxxp[:]//api[.]genetence[.]com:8300/pl2
- hxxp[:]//api.[]matriature[.]com:8300/pl2
- hxxp[:]//api[.]miretic[.]com:8300/pl2
- hxxp[:]//api[.]sensfaction[.]com:8300/pl2
- hxxp[:]//45[.]33.61[.]62:8300/pl2
The first request is executed 2 minutes after the thread is launched, and the request is repeated in an infinite loop cycle with an interval of 60 minutes. At the beginning, the first URL from the list is used. If the connection attempt fails within 24 hours, the trojan proceeds to the next URL.
The following parameters are used in the request:
| Request parameter | Description |
|---|---|
| a_l | Android SDK version |
| a_i | android_id—the unique device ID |
| a_v | Application version name |
| a_c | Application version code |
| model | Device model |
| brand | Device brand |
| ver | A v3 string |
| pack | Package name |
| imsi | IMSI |
| imei | IMEI |
| res | Screen resolution |
| sys | If the target application is a system app (if yes, the 1 value is sent; if no, the 0 value is sent) |
| fr | A string sent when the trojan starts |
| ctm | Current time |
| pft | The time elapsed since the start of the trojan module |
| sn | The md5 hash from the concatenation of the values of the a_l + a_i + a_v + a_c + "oignuowwg" + ctm parameters |
The data sent to and received from the C&C server is encrypted with XOR:
public static byte[] xor(byte[] data) {
int i;
for(i = 0; i < data.length; ++i) {
data[i] = (byte)(data[i] ^ 0x24D3);
}
return data;
}
If the server returns a status code with the value 200, the response from it must contain JSON and a particular hash in order for the trojan to execute the command to download and launch plugins:
JSONObject json = new JSONObject(response_body);
String s = json.getString("s");
if(Hash.md5(json.getString("u") + "&zhanghui18888").equals(s)) {
.... //do work
}
The JSON that the C&C server sends back contains a plugin array where for each plugin the plugin_file, plugin_url, and plugin_size fields are indicated.
After receiving the parameters, the trojan deletes from the /.cache/pn directory the preexisting plugins, which are missing in the command. Next, the plugins specified in the command and which are no longer present on the device, are downloaded into the /.cache/pt catalog. The plugins are encrypted with XOR:
private static byte[] xor(byte[] data) {
byte[] out = new byte[data.length];
int i;
for(i = 0; i < data.length; ++i) {
out[i] = (byte)(data[i] ^ 0xB9);
}
return out;
}
The trojan decrypts them and places them into the /.cache/pn directory.
After that, all the plugins that have been copied into the /.cache/pn catalog are loaded into the memory and launched in the context of the attacked applications. Depending on their functionality, such plugins can perform various malicious actions.
If the C&C server returns a status code with the value 206, Android.Backdoor.854.origin writes the variables "successFlag" = 1 and "successTime" = System.currentTimeMillis() to the sp_brois_settings configuration file, which means that the request to the C&C server was successful. The trojan performs a similar action when it receives the code 200. When the code 206 is received, the trojan does not download the plugins.
