Trojan for Android masked under an update for OpenGL ES

Doctor Web specialists found in the Google Play catalog a malware that allowed remote control of infected Android devices and monitor users.

The malicious program received the Android.Backdoor.736.origin identifier and was distributed under the mask of the OpenGL Plugin application, supposedly intended to check the version of the OpenGL ES graphical interface and download its updates.

After start, the malware requests access to several important system permissions that allow it to collect sensitive information and work with the file system. In addition, it is trying to get access to display screen forms on top of the interface of other programs:

  1. android.permission.ACCESS_COARSE_LOCATION;
  2. android.permission.READ_CONTACTS;
  3. android.permission.GET_ACCOUNTS;
  4. android.permission.READ_PHONE_STATE;
  5. android.permission.READ_EXTERNAL_STORAGE;
  6. android.permission.WRITE_EXTERNAL_STORAGE.

In the window of the malicious application, there is a button to “check” for OpenGL ES updates. After clicking it, the Trojan simulates the process of searching for new versions of OpenGL ES, but in fact, of course, it doesn’t perform any checks and only misleads the user.

After the victim closes the application window, the backdoor hides its icon from the main screen and creates a shortcut for its launch. This is done, in order to make it harder for the user to remove the malware, since deleting the shortcut will not affect the malware itself.

The backdoor is constantly active in the background and can be launched not only through an icon or shortcut, but also automatically with the system startup and at by command of attackers via Firebase Cloud Messaging.

The main malicious functionality of the Trojan is hidden in an auxiliary file that is encrypted and stored in the directory with the program resources. It is decrypted and loaded into memory every time it starts. The backdoor communicates with several management servers (http: //wand.gasharo********.com, http: //heal.lanceb********.com), from where it receives commands and where it is sent collected data.

Read also: July patches for Android fixing a number of critical RCE bugs

Malware can perform the following actions:

  1. sending information on contacts from the contact list to the server;
  2. sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
  3. sending the phone call history to the server;
  4. sending the device location to the server;
  5. downloading and launching an APK or a DEX file using the DexClassLoader class;
  6. sending the information on the installed software to the server;
  7. downloading and launching a specified executable file;
  8. downloading a file from the server;
  9. uploading a specified file to the server;
  10. transmitting information on files in the specified directory or a memory card to the server;
  11. executing a shell command;
  12. launching the activity specified in a command;
  13. downloading and installing an Android application;
  14. displaying a notification specified in a command;
  15. requesting permission specified in a command;
  16. sending the list of permissions granted to the trojan to the server;
  17. not letting the device go into sleep mode for a specified time period.

All data transmitted to the server is encrypted using the AES algorithm. Each request is protected by a unique key. This key is generated basing on the current time. The same key encrypts the server response.

Researchers write that the Trojan is able to install applications in several ways at once:

  1. automatically, if the system has root access (using shell commands);
  2. using the system package manager (only for system software);
  3. showing the standard system installation dialog, where the user must agree to the installation.

“As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers, Android.Backdoor.736.origin can download and launch an exploit to obtain root privileges. It will then no longer need the user’s permission to install other programs”, — report Doctor Web specialists.

All data transmitted to the server encrypted using the AES algorithm. A unique key protects each request. These keys generated basing on the current time. The same key encrypts the server response.

Researchers write that the Trojan is able to install applications in several ways at once:

  1. automatically, if the system has root access (using shell commands);
  2. using the system package manager (only for system software);
  3. showing the standard system installation dialog, where the user must agree to the installation.
Doctor Web notified Google about the threat, and malware application is already removed from Google Play.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Lists of installed Android applications

Android allows third parties to receive lists of all applications installed on the device

A group of scientists from universities in Switzerland, Italy and the Netherlands said that the …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.