The Android Trojan preinstalled in Amazon Tablets is in Google Play as well

Friday, November 13, 2015

Researchers from Cheetah Mobile have found Trojans preinstalled in some cheap Amazon tablets, very hard to remove. But, here in ElevenPaths we have found that a version of this Trojan is present right now in Google Play hidden as a HTML 5 games application. The malware has been dubbed "Cloudsota".

The app, still in Google Play, made by the same band of "Cloudsota".
 
The Trojan found by Cheetah Mobile, is preinstalled in tablets, restores itself after reboots if deleted, hijacks the browser homepage and downloads apps from some servers to install them silently if the device is rooted (which, in these tablets, is very likely). We found a very similar behavior in a Google Play app, downloading apps from the same servers and with quite similar code. What we can be sure is that is made by the same people behind this Cloudsota. Although maybe with enough changes to be able to get in the official market.

How it works

Once the apps found by Cheetah were analyzed, thanks to Tacyt, we found a strong correlation with just one out of 4.6 million apps in our database. It has been in Google Play since August 2015. This app, when booting or if a user is present (unlocks the screen), calls a method called "b" inside the  com.android.ThreeTyCon.c class, that visits this site hxxp://union.dengandroid.com/getconfig and sends some interesting information.

JSon sent to the server before being encoded
After sending some encoded personal information (email, MAC, if the device is rooted or not, etc) it finally downloads (with some encoding as well) a dex file called business.dex. We guess the file may be different depending on this information previously sent.

The code to download and use business.dex
This business.dex is terribly offuscated, and contains most of the malicious code. Business.dex is as well programmed to download different versions of business_X.dex (the X depends on the configuration in the device) that we suppose that makes its behavour quite unpredictable.

If busybox util is found in the device, it tries to load libraries, install and uninstall apps... This is done just before business.dex is downloaded, we guess this is for uninstalling any antivirus the user may have just before downloading the (even more) malicious code, that is more likely to be detected.

Triying to uninstall code

As far as we know, the app itself or the business.dex does not contain code to survive and install itself after reboot or hijack the homepage, but it definitely could, as we can see some references in the code. 

It may hijacks the homepage
  
Aside, it shares with Cheetah samples, the use of a very particular library libshellcmd.so.
 
It uses libshellcmd.so, shared with Cloudsota


The app in Google Play is detected by some antiviruses. But most of them do not detect the app because of this behavior, but because of it containing some Airpush SDK code. Airpush was considered a potentially unwanted adware SDK long time ago by the antiviruses. It is interesting as well that the app has been downloaded 5.000 and 10.000 times, but only 3 votes have been given.

Too many downloads for so few votes...

That make us think about some time of artificial boost with unreal downloads made by the same developers to enhance searching position.

Sergio de los Santos
ssantos@11paths.com

Miguel Ángel García 
miguelangel.garcia@11paths.com

2 comments:

  1. The candidates can also view their CBSE results on cbse.nic.in. The candidates can also get their results via SMS. No official date for result declaration has been announced so far. Therefore, the speculation over the CBSE 10th and 12th result date that exists is high. http://CbseResults.Nic.in/, cbseresults.nic.in, www.cbseresults.nic.in

    ReplyDelete

  2. According to the Maharashtra board officials to a media house, the result will be declared further in coming days, while it was expected to declare today referring previous sources on the Maharashtra SSC Results. So candidates must watch the official site mahresults.nic.in for every hour.

    MahResulT.nic.in, www.mahresulT.nic.in, Maha Board Result, maha board result, Mah BOarD hSc reSULTS, mAhARaSHtRA SSc ResuLTs

    ReplyDelete