Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.Pandora.2

Added to the Dr.Web virus database: 2023-03-10

Virus description added:

SHA1: 14215a93ed5d0a86f31aab0b2d7be6db8a45a371

Description

Android.Pandora.2 is a backdoor trojan designed to target Android devices. Its main functionality includes carrying out DDoS attacks and executing remote commands on a victim's device.

Operating routine

The Android.Pandora.2 malicious program was discovered during an investigation into cases of infection occurring in the system partition of an Android TV box model. The infection itself presumably occurred via an unpatched Android OS vulnerability exploitation.

The backdoor is installed into the system storage area with a number of additional components. During the infection analysis, the following files were identified:

  • /system/bin/pandoraspearrk;
  • /system/bin/supervisord;
  • /system/bin/rootsudaemon.sh (in some cases, the preinstall.sh file can be installed, instead of the rootsudaemon.sh);
  • /system/bin/s.conf;
  • /system/xbin/busybox;
  • /system/bin/curl.

The file pandoraspearrk is itself an Android.Pandora.2 trojan.

The file supervisoid is a supervisor tool that monitors the status of the targeted executable and launches it again if its operation was terminated. In this particular case, it monitors the backdoor’s status, and it uses the configuration from the s.conf file.

The busybox and curl files represent the non-malicious instruments BusyBox (a set of UNIX tools of various functionality) and curl (a utility for transferring data via different network protocols).

The rootsudaemon.sh and preinstall.sh files are scripts. The former launches the supervisoid file with root privileges and has the structure shown below:

    
    #!/system/bin/sh
    /system/xbin/daemonsu --auto-daemon &
    /system/bin/supervisord -c /system/bin/s.conf &
    

The latter creates a number of directories, installs APK packets, and launches the supervisoid file. It has the following structure.

  
    
    #!/system/bin/sh
    MARK=/sdcard/symbol_thirdpart_apks_installed
    PKGS=/system/preinstall/
    MARK1=/data/local/symbol_xbmc_file_coped
    ANDROID_DIR=/sdcard/Android
    DATA_DIR=/sdcard/Android/data
    if [ ! -e $MARK ]; then
    echo "booting the first time, so pre-install some APKs."
    busybox find $PKGS -name "*\.apk" -exec sh /system/bin/pm install {} \;
    touch $MARK
    echo "OK, installation complete."
    fi
    if [ ! -e $MARK1 ]; then
    echo "booting the first time, so pre-install some APKs."
    echo "lml in kodi.sh22!!!"
    if [ ! -e $ANDROID_DIR ];then
    echo "no android dir ,we need make android dir first."
    log -t cw "lml in kodi.sh33!!!"
    busybox mkdir /sdcard/Android
    fi
    log -t cw "lml in kodi.sh44!!!"
    if [ ! -e $DATA_DIR ];then
    echo "no android dir ,we need make data dir first."
    log -t cw "lml in kodi.sh55!!!"
    busybox mkdir /sdcard/Android/data
    fi
    log -t cw "lml in kodi.sh66!!!"
    rm /sdcard/Android/data/org.xbmc.kodi/ -rf
    busybox unzip -o /system/media/org.xbmc.kodi.zip -d /sdcard/Android/data/
    touch $MARK1
    echo "OK, installation complete."
    fi
    /system/bin/supervisord -c /system/bin/s.conf &
    

In particular, it installs Kodi® media center (org.xbmc.kodi), a media center app for Android TV.

Interaction with the C&C server

To connect to the C&C server, the backdoor reads its address from the command-line parameters or from the /data/.ms file, which has been encrypted with a Blowfish algorithm, or it uses a built-in list:

  • ok3[.]mflve[.]com
  • pcn[.]panddna[.]com
  • apz[.]bsaldo[.]com
  • abcr[.]ftsym1[.]com

Next, it verifies whether the /htv and /koocan directories are present. These directories are subsequently used to store a copy of the new version of the backdoor when the self-update command is executed.

The trojan connects to the server on the received address and forms a string with an id, as shown below:

1000@12.00-00.00-10000000@0002@

At the same time, the numerical contents of this line may vary, depending on whether the trojan has obtained access to /dev/block/hide, /dev/block/mtdblock5, or /dev/block/mtdblock4, and has gotten the particular data from there.

The resulting string is encoded with a Blowfish algorithm, using a zAw2xidjP3eHQ key; converted into a modified Base64; and transferred to the C&C server. In response, Android.Pandora.2 receives a command.

Commands executed

Commands received by the backdoor are sent in the <...>@<a command>@<an argument #1>@<an argument #2>@... format.

Command Name Aruments Description
11 addns tmpdnsip, tmpdns To add a record into /etc/hosts.
12 del_dns host To remove a record from /etc/hosts.
21 URL To perform an auto update of the trojan app.
31 syn host (and optionally a network port) To execute a DDoS attack on a targeted host through port 80, or through the port listed in the command’s arguments.
32 udp host To execute a DDoS attack via the UDP protocol.
33 icmp host To execute a DDoS attack via the ICMP protocol.
34 mix host To execute a DDoS attack via the ICMP, UDP, and SYN protocols simultaneously.
35 smurf host To execute a DDoS attack via the ICMP protocol.
36 tagr3 host (an IP address or a host name) To execute a DDoS attack.
37 сс Unknown To start a thread to execute a commanded task.
38 dnsflood Unknown To execute a DNS Query Flood-type attack.
88 shell host, port To open a Reverse Shell to host:port (or to /system/bin/sh, or to ksh).
110 stopall To stop all processes performing DDoS attacks (for each DDoS attack command received, 50 processes are created by default).
3000 lbs Unknown, IP To write a C&C server address into /data/.ms and connect to this server.
5000 URL To write a C&C server address into /data/.ms.
5555 Unknown To update a С&C server address in /data/.ms.
6269 A command To mount the /system partition in rw mode, to execute a command, to write the command output into the log, to mount the /system partition in ro mode.

Substitution of the /etc/hosts

Upon connecting to the C&C server, Android.Pandora.2 receives a link for downloading the hosts file the attackers need. This file is encoded with a Blowfish algorithm and encoded with a modified Base64.

The backdoor decrypts this hosts file and then uses it to replace the original system file located in /etc/hosts.

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android