Mobile & Gadgets

From China with Love: New Android Backdoor Spreading through Hacked Apps

Trojan.Android.FakeAngry.A/B silently installs applications and reports the phone

 

With the Android OS surpassing more than 50% of market share on mobile devices, malicious attacks have increased considerably.  Freshly discovered by Bitdefender, the FakeAngry family of Trojans is just one of the e-threats targeting smartphones running Android, and especially users who rely on third-party Chinese Markets to download applications.

The Trojan’s name stems from the fact that these two variants store their settings as ‘i22HK’, while the com.i22.* packages are associated with the popular Angry Birds application.

Until now, we have isolated two variants of the FakeAngry family, both in Java packages mostly targeting Chinese users. In-depth analysis reveals that, once an infected package is run, the Trojanized application deploys a backdoor that connects to a command and control server in China and/or Canada and then waits for instructions from the attacker. Among other abilities, the backdoor can silently install another application, set browser bookmarks or even syphon device logs for monitoring purposes.

 

Fig. 1: APK Download routine

 

Remote attackers can install new applications by specifying the application’s name and URL, as well as a special parameter (‘silentdownload’) that allows the backdoor to download and install the application without the user knowing it. In order to install it, the backdoor changes the APK’s permissions via CHMOD, and then it calls  pm install –r to install it. In order to avoid heuristic detection , these commands are obfuscated.

Fig. 2: Obfuscated commands allow the malware to avoid heuristic detection

 

 

The Trojan can also set browser bookmarks for most of the mobile browser installed on the device.  Prior to writing the bookmarks, it checks to see which browsers are already installed on the system by calling the function below:

 

Fig. 3: Mobile user-agent check

 

Most of these browsers are common in China, which indicates that it mostly targets Chinese users. Also, when the Trojan installs APKs in verbose mode, the pop-ups displayed are localized in Chinese.

Fig. 4: XML file with the specifications of the APK to be installed

 

After identifying the browser, the Trojan uses a list of bookmarks in the form of Bookmark Name/Bookmark URL. It adds them to the browser, but it also modifies the Visits field for each of these bookmarks to a high value to give the victim the impression that the bookmark is trusted and that they have already visited it multiple times.

Another interesting functionality of the Trojan is its ability to syphon some parts of the system log, especially the events logged by the Activity Manager. The piece of malware filters the system log by references to the IMEI and timestamps before sending them to the C&C server. These references will be copied to a file called error_stat, which the malware creates and locks to be inaccessible. This is possible becase the Android operating system allows applications to create files that are available only to their creators, which will be automatically deleted when the application is uninstalled.


Fig. 5: The routine for collecting relevant logs

 

The backdoor is currently used for installing third-party applications without users’ knowledge. These applications can either be malicious (i.e. installing other e-threats on the compromised device) or can be commercial affiliate applications that bring the botmaster revenue in pay-per-install schemes.  However, as the Trojan is constantly downloading a list of commands, its modus operandi can change from one minute to another, making its behaviour extremely difficult to predict.

What is certain is that  Android malware is getting ever more complex, with obfuscation mechanisms or by employing polymorphism (such as the FakeInst family), to circumvent mobile antivirus protection. Google’s recent introduction of the ’Bouncer’ scanning system may alleviate only some of the malware issues threatening users (it still does not protect against applications that deploy their payload at runtime from remote services), but it doesn’t solve the issue of malware spreading through third-party markets. To be fully protected, we recommend not to root your phone and to install a mobile security suite such as the one we provide for free.

This article is based on the technical information provided courtesy of Mihai STOICOI, Bitdefender Virus Researcher .

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

2 Comments

Click here to post a comment
  • Dear Mr. Botezatu

    Thank you for your helpful information. My dad’s mobile has got trojan/android.i22hk.e. He told me that his phone was stoned from time to time.
    And it obviously slowed down the phone’s speed.

    My dad’s phone has not rooted yet and I am downloading the bitdiffender app from google play. I wonder if this can help to save his phone. Would you kindly advise me on the solution to remove this annoying virus, please?

    I appreciate if you could be kind enough to share your valuable experience.
    Thank you!

  • Hi Bogdan,

    Although I can’t find any malicious activity using Kaspersky or aavast, I suspect that my Gmail account was compromised as a result..

    I have installed a firewall and only allow https traffic. However I still can’t find what may have caused this… I did a text serach for i22hk, but can’t find anything in the OS.