Android/Stiniter.A!tr

Analysis

Android/Stiniter.A!tr is a malware for Android mobile phones. It has been reported in third party markets. It roots the mobile phone and silently installs other malware on it. It communicates with a remote C&C from which it receives commands to download other packages, or send SMS messages.

Technical Details

The malware consists of a malicious service named GameUpdateService. In the Android Manifest:

<service android:name="com.gamebox.service.GameUpdateService" />

As soon as the service is launched, it collects personal information such as phone's IMEI, model, screensize, phone number, number of the SMS center etc, and formats the information in XML as follows:

<?xml version="1.0" encoding="UTF-8"?>
<Request>
	<MobileInfo>
	 <Imei>IMEI</IMEI>
	 <Model>MODEL</Model>
	 <ScreenSize>SCREENSIZE</Screensize>
	 <PlatForm>PLATFORM</PlatForm>
	 <Os>OS</Os>
	 <SmsCenter>SMS CENTER</SmsCenter>
	 <PhoneNumber>NUMBER</PhoneNumber>
        </MobileInfo>

The Model corresponds to Build.MODEL from which spaces are removed. The Screensize corresponds to the width of the screen followed by the height. The separator between width and height is an 'x', i.e 300x600. The Platform corresponds to the version of Android the phone uses, such as 2.2.
The phone number and the SMS center are initialized to the value of the SMSC of a well-known Chinese operator.
Then, the malicious service starts a thread that do the following tasks if /system/bin/keeper does not already exist:

• test if /data/data/android.gdwsklzz.com exists, if not create this directory
• create a new /data/data/android.gdwsklzz.com/sys.info file (delete it and re-create if it already exists)
• dump the XML object into /data/data/android.gdwsklzz.com/sys.info
• copy various raw resource files to /data/data/android.gdwsklzz.com, then make then world read-write-executable (chmod 777)
• start another thread that will execute the raw resource 'start'
• execute the raw resource 'initr'

The following raw resources are packed with the malware:

• android.info
• googlemessage.apk, googleservice.apk, unlock.apk: malicious Android packages, that get silently installed by the malware. We will detail how below.
• initr: this ARM executable contains the so-called exploid exploit which abuses of the lack of authentication of kernel object event messages. The exploit is used to gain local root access on the mobile phone, and subsequently install other malicious packages without having to ask for user's consent.
  Precisely, initr will:
  1. run the exploit to root the phone
  2. copy the other malicious packages (googleservice.apk, unlock.apk, googlemessage.apk) to the system directory (possible because the phone has been rooted)
  3. chmod 0644 the packages
  4. copy android.info to /system/bin/android.info and do chmod 777
  5. copy keeper and ts to /system/bin and do chmod 04711
  6. chmod 04755 on /system/bin/sh
• start: this executable will start /system/bin/keeper
• keeper: this executable is responsible of keeping the phone infected. In particular, it ensures that the ts executable is runnable, and if necessary copies it in the right directory with appropriate rights.
• ts: this is the most complex malicious executable embedded in the malware. It contains an important part of the malicious payload

The malicious executable ts does the following:

• remount the system drive read-write (possible because the phone has been rooted)
• does chmod 777 /system/etc
• installs the 3 embedded malicious APKs and deletes the APK afterwards
• prevents the system to suspend by writing to /sys/power/wake_lock
• starts each embedded malicious APK (am broadcast -a action, where the action is a specific action registered by the APK)

Ts communicates with one C&C among:

http://www.v[CENSORED]e.com/tgloader-android
http://www.v[CENSORED]o.com/tgloader-android
http://www.v[CENSORED]g.com/tgloader-android
http://www.v[CENSORED]n.com/tgloader-android

It reports its activity by posting to:

http://C&C/HeartBeat.do

It gets new packages to download via

http://C&C/GetPackage.do

gets the polling interval time:

http://C&C/GetRequestInterval.do

reports file download or push message status via:

http://C&C/ReportDownStatus.do 
http://C&C/ReportPushMessageStatus.do 

The precise action for each URL hasn't been analyzed, but we know that the malware sends HTTP GET or POST requests to the following requests using the User-Agent Opera/8.0 (Macintosh; PPC Mac OS X; U; en), and that the objects it posts are XML objects that contain various information such as phone's IMEI, malware's version, list of malicious APK installed.
Ts also shows the ability to update the main APK.
Executable ts also shows the ability to emulate random or specific clicks on the touchscreen of the mobile phone. The reason for this isn't clear yet, it could be to make sure the phone does not go in sleep mode.
The embedded malware googlemessage.apk is in charge of sending SMS messages. This APK is quite small. It reads the SMS to send from a file named /dev/fifo1 and populated through communication between ts and the C&C. This file is formatted as follows:

mobile phone number
content

The malware then sends an SMS to the given phone number with the specified content.
The embedded malware googleservice.apk is also quite simple. It consists of a service which is started when the phone boots, and whose beginning is similar to the beginning of the malware: it dumps the XML info object into /data/data/com.google.updateservice/sys.info and starts /system/bin/keeper.
Part of the process of googleservice.apk seems redundant with the initial main malware and we have not found explanations for it, apart making sure the malware is run.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.