SHA1 hashes:
- f3732871371819532416cf2ec03ea103a3d61802 (/system/xbin/vo1d)
- 675f9a34f6f8dc887e47aa85fffda41c178eb186 (decrypted payload)
Description
This is a component of the malicious backdoor Android.Vo1d, which was detected in the system storage area of a number of Android-based TV box models. Its functionality includes:
- Decrypting the payload;
- Sending a launch report to the C&C server;
- Launching the Android.Vo1d.3 component;
- Downloading and running binary files from target URLs.
Operating routine
Decrypting the payload
Android.Vo1d.1 extracts and decrypts the payload from itself, using the XXTEA algorithm with the key fPNH830ES23QOPIM*&S955(2WR@L*&GF. The resulting object is loaded into the RAM. In fact, this is the main body of Android.Vo1d.1 that performs malicious tasks.
Sending the launch report to the C&C server
Android.Vo1d.1 sends a POST request to hxxp[:]//bitemores[.]com/api/start:
| POST | hxxp[:]//bitemores[.]com/api/start |
|---|---|
| User-Agent | curl/7.64.0 |
| Accept | */* |
| Content-Type | application/json;charset=UTF-8 |
An example of a request:
{
"c": "-1",
"ct": "2024-07-22 19:15:15",
"dt": "0",
"g": "10",
"gt": "0",
"i": "31",
"nn": "/data/local/tmp/vo1d",
"pd": "10993",
"t": "0",
"u": "1",
"ud": "0",
"uid": "",
"v": "10",
"vc": "",
"vt": ""
}
where:
- c — has the value 0 if the component wd is present on the device, or the value -1 if this component cannot be found;
- ct — the current time;
- i — the Android API version;
- u — the location of the component wd;
- nn — the path to the Android.Vo1d.1 executable;
- pd — a pid of the Android.Vo1d.1 process;
- ud — the uid (user id) under which Android.Vo1d.1 is being launched;
- g — a constant;
- v — a constant;
- u — indicates the location of the component wd (Android.Vo1d.3).
Known possible wd binary file locations:
- /data/system/installd
- /system/xbin/wd
- /data/google/rild
Launching the Android.Vo1d.3 component
Android.Vo1d launches /system/xbin/wd (Android.Vo1d.3) and controls its process activity, restarting it if necessary.
Downloading and launching binary files from target URLs
To download executables, Android.Vo1d.1 sends GET requests to the following addresses:
- http[:]//6f33933ce4a5c0e1b32fea736a61351a[.]com/v1.0.0/sv
- http[:]//catmos99[.]com:81/v1.0.0/sv
The format of these requests:
| GET HTTP/1.1 | hxxp[:]//bitemores[.]com/api/start |
|---|---|
| User-Agent | curl/7.64.0 |
| Accept | */* |
From these addresses, the trojan receives URLs from which it downloads and then runs target files.
More details on Android.Vo1d.3
