Friday, January 17, 2014

Android Oldboot / Mouabad.s

MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 ( = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 ( = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:
“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang

Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 

Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)

Download all the listed samples (new link)
SHA256: f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097
File name: 8e3dcff9ec301d450bbd46e44d5b1091.apk
Detection ratio: 2 / 48
Analysis date: 2014-01-17 19:47:46 UTC ( 8 hours, 53 minutes ago )
0 1
 File detail
 Additional information
 Comments 0
Antivirus Result Update
McAfee Artemis!8E3DCFF9EC30 20140117
McAfee-GW-Edition Artemis!8E3DCFF9EC30 20140117

No comments:

Post a Comment