Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Triada.231

Added to the Dr.Web virus database: 2017-03-18

Virus description added:

SHA1:

  • 7ed01280dd254b063fecfdbf1da773df7738120a

A Trojan program for Android OS is embedded into the source code of the system library libandroid_runtime.so. In the method println_native of the class android.util.Log (core/jni/android_util_Log.cpp, platform/frameworks/base project), an additional request is added:


/*
 * In class android.util.Log:
 *  public static native int println_native(int buffer, int priority, String tag, String msg)
 */
extern "C" int xlogf_java_tag_is_on(const char *name, int level);
extern "C" int xlogf_java_xtag_is_on(const char *name, int level);
static jint android_util_Log_println_native(JNIEnv* env, jobject clazz,
        jint bufID, jint priority, jstring tagObj, jstring msgObj)
{
    const char* tag = NULL;
    const char* msg = NULL;
    if (msgObj == NULL) {
        jniThrowNullPointerException(env, "println needs a message");
        return -1;
    }
    if (bufID < 0 || bufID >= LOG_ID_MAX) {
        jniThrowNullPointerException(env, "bad bufID");
        return -1;
    }
    if (tagObj != NULL)
        tag = env->GetStringUTFChars(tagObj, NULL);
    msg = env->GetStringUTFChars(msgObj, NULL);
    int res = -1;
    int flag_m = 0;
    int count = 0;
    char new_tag[50];
    if (tag != NULL && (strncmp(tag, "@M_", 3) == 0)) {
        flag_m = 1;
        while(tag[count+3]) {
            new_tag[count] = tag[count+3];
            count++;
        }
        new_tag[count] = 0;
    }
#ifdef HAVE_XLOG_FEATURE
    if (flag_m == 1) {
        if (xlogf_java_xtag_is_on(new_tag, (android_LogPriority)priority)) {
            res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
        }
    } else if (xlogf_java_tag_is_on(tag, (android_LogPriority)priority)) {
      res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
    }
#else
    if (flag_m == 1) {
       res = __android_log_buf_write(bufID, (android_LogPriority)priority, new_tag, msg);
    } else {
       res = __android_log_buf_write(bufID, (android_LogPriority)priority, tag, msg);
    }
#endif
    // droi.zhanglin,20160901. add leagoo custom code
 /* qy start*/
 // TODO:渠道机型号
 __config_log_println(env,priority, tag, msg, "cf89490001");
 /* qy end*/
    if (tag != NULL)
        env->ReleaseStringUTFChars(tagObj, tag);
    env->ReleaseStringUTFChars(msgObj, msg);
    return res;
}

As a result, the specified function is called each time when an application on the infected mobile device makes a record to the system log.

Android.Triada.231 is launched for the first time when the function is called by the Zygote process. The Trojan decrypts data strings that it uses and checks the version of the operating system API and execution environment, in which it is launched. If it is a Dalvik virtual machine, Android.Triada.231 intercepts the method onCreate of the Application class in RAM, by patching the structure jmethodID corresponding to this method. The path is made an a way that it is marked as native. Then, the Trojan calls the class RegisterNatives.

Using the method java.lang.System.setProperty the malicious program changes the following system properties:

  • os.config.ppgl.dir - the name of the Trojan working directory (/data/configppgl for the Dalvik virtual machine and /sdcard/.SDAndroid for the ART virtual machine);
  • os.config.ppgl.version – parameter with value «1.3.3»;
  • os.config.ppgl.status – parameter with value «working»;
  • os.config.ppgl.cd – parameter send to Trojan function (in the described example it has value «M5 Plus Lte»).

Then, Android.Triada.231 creates its working directory.

Since when applications are launched, their processes are separated from the Zygote process, the Trojan code is automatically infiltrated into the processes of applications with the strings decrypted at the first launch of the Trojan and initialized variables.

In case Android.Triada.231 is executes on an ART virtual machine, the Trojan is not activated immediately after applications are launched, it is activated after an application makes a record to the system log. This is performed using the same function which virus writers embedded to the method println_native for initializing the Trojan.

Android.Triada.231 checks if its working directory contains the subdirectory, which name includes the value MD5of the infected process. It it finds this directory, the Trojan seeks files 32.mmd or 64.mmd (for 32-bit and 64-bit operating systems respectively). When it finds the required file, Android.Triada.231 decrypts it and saves as libcnfgp.so, then loads it to RAM using the method java.lang.System.load and deletes the decrypted copy from the device.

If the Trojan does not find the required file, the Trojan seeks the file 36.jmd, which is then decrypted and saved as mms-core.jar, then it is run using the class DexClassLoader and deleted.

As a result, Android.Triada.231 can embed malicious modules to application processes, which can perform various actions, for example, steal confidential information or change information displayed by attacked applications.

The Trojan also can extract the jar module (detected as Android.Triada.194.origin) from the modified library libandroid_runtime.so. Android.Triada.231 loads this module to the process com.android.mms when it calls the method println_native. It is performed if the tag parameter of the method println_native is different from «DownloadManager» and «MmsSystemEventReceiver» and the Trojan function is called in the attacked process at least a third time.

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android