SHA1:
- 7ed01280dd254b063fecfdbf1da773df7738120a
A Trojan program for Android OS is embedded into the source code of the system library libandroid_runtime.so. In the method println_native of the class android.util.Log (core/jni/android_util_Log.cpp, platform/frameworks/base project), an additional request is added:
/*
* In class android.util.Log:
* public static native int println_native(int buffer, int priority, String tag, String msg)
*/
extern "C" int xlogf_java_tag_is_on(const char *name, int level);
extern "C" int xlogf_java_xtag_is_on(const char *name, int level);
static jint android_util_Log_println_native(JNIEnv* env, jobject clazz,
jint bufID, jint priority, jstring tagObj, jstring msgObj)
{
const char* tag = NULL;
const char* msg = NULL;
if (msgObj == NULL) {
jniThrowNullPointerException(env, "println needs a message");
return -1;
}
if (bufID < 0 || bufID >= LOG_ID_MAX) {
jniThrowNullPointerException(env, "bad bufID");
return -1;
}
if (tagObj != NULL)
tag = env->GetStringUTFChars(tagObj, NULL);
msg = env->GetStringUTFChars(msgObj, NULL);
int res = -1;
int flag_m = 0;
int count = 0;
char new_tag[50];
if (tag != NULL && (strncmp(tag, "@M_", 3) == 0)) {
flag_m = 1;
while(tag[count+3]) {
new_tag[count] = tag[count+3];
count++;
}
new_tag[count] = 0;
}
#ifdef HAVE_XLOG_FEATURE
if (flag_m == 1) {
if (xlogf_java_xtag_is_on(new_tag, (android_LogPriority)priority)) {
res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
}
} else if (xlogf_java_tag_is_on(tag, (android_LogPriority)priority)) {
res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
}
#else
if (flag_m == 1) {
res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
} else {
res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
}
#endif
// droi.zhanglin,20160901. add leagoo custom code
/* qy start*/
// TODO:渠道机型号
__config_log_println(env,priority, tag, msg, "cf89490001");
/* qy end*/
if (tag != NULL)
env->ReleaseStringUTFChars(tagObj, tag);
env->ReleaseStringUTFChars(msgObj, msg);
return res;
}
As a result, the specified function is called each time when an application on the infected mobile device makes a record to the system log.
Android.Triada.231 is launched for the first time when the function is called by the Zygote process. The Trojan decrypts data strings that it uses and checks the version of the operating system API and execution environment, in which it is launched. If it is a Dalvik virtual machine, Android.Triada.231 intercepts the method onCreate of the Application class in RAM, by patching the structure jmethodID corresponding to this method. The path is made an a way that it is marked as native. Then, the Trojan calls the class RegisterNatives.
Using the method java.lang.System.setProperty the malicious program changes the following system properties:
- os.config.ppgl.dir - the name of the Trojan working directory (/data/configppgl for the Dalvik virtual machine and /sdcard/.SDAndroid for the ART virtual machine);
- os.config.ppgl.version – parameter with value «1.3.3»;
- os.config.ppgl.status – parameter with value «working»;
- os.config.ppgl.cd – parameter send to Trojan function (in the described example it has value «M5 Plus Lte»).
Then, Android.Triada.231 creates its working directory.
Since when applications are launched, their processes are separated from the Zygote process, the Trojan code is automatically infiltrated into the processes of applications with the strings decrypted at the first launch of the Trojan and initialized variables.
In case Android.Triada.231 is executes on an ART virtual machine, the Trojan is not activated immediately after applications are launched, it is activated after an application makes a record to the system log. This is performed using the same function which virus writers embedded to the method println_native for initializing the Trojan.
Android.Triada.231 checks if its working directory contains the subdirectory, which name includes the value MD5of the infected process. It it finds this directory, the Trojan seeks files 32.mmd or 64.mmd (for 32-bit and 64-bit operating systems respectively). When it finds the required file, Android.Triada.231 decrypts it and saves as libcnfgp.so, then loads it to RAM using the method java.lang.System.load and deletes the decrypted copy from the device.
If the Trojan does not find the required file, the Trojan seeks the file 36.jmd, which is then decrypted and saved as mms-core.jar, then it is run using the class DexClassLoader and deleted.
As a result, Android.Triada.231 can embed malicious modules to application processes, which can perform various actions, for example, steal confidential information or change information displayed by attacked applications.
The Trojan also can extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. Android.Triada.231 loads this module to the process com.android.mms when it calls the method println_native. It is performed if the tag parameter of the method println_native is different from «DownloadManager» and «MmsSystemEventReceiver» and the Trojan function is called in the attacked process at least a third time.
