Clicky

Friday, January 17, 2014

Android Oldboot / Mouabad.s


MD5 (GoogleKernel.apk) = 8e3dcff9ec301d450bbd46e44d5b1091
MD5 (_bootinfo) = 826493bca9ad7d33521001d1a74ce06f
MD5 (com.android.googledalvik.apk) = 2fcaeb78f945bee1512ca65cca2f21b4
MD5 (com.qq.assistant.apk) = e3ed5c6d2cffe6f37b809a1252bd805d
MD5 (imei_chk) = 41d8d39217ca3fe40a4722e544b33024
MD5 (libgooglekernel.so) = a0ec31f670bbdccb22f9a6ec36d5ac77

From Zihang (Claud) Xiao:
“imei_chk” is the main executable file under /sbin;
“_bootinfo” is the /sbin/.bootinfo config file which is needed for imei_chk’s running;
“GoogleKernel.apk" and “libgooglekernel.so” are two files dropped by the imei_chk;
“com.qq.assistant.apk” is the first variant, while “com.android.googledalvik.apk” is the second variant.
By manually adding imei_chk and .bootinfo to the /sbin directory in boot partition and modify init.rc, analyst could restore the whole attack.

Research: 360 Mobile: Oldboot: the first bootkit on Android by Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang


Also See: Mouabad.p - Pocket Dialing For Profit  (Lookout security) 


Sample Credit: Tim Strazzere (Lookout Security) and Claud Xiao (360 Mobile)


Download all the listed samples (new link)


https://www.virustotal.com/en/file/f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097/analysis/
SHA256: f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097
File name: 8e3dcff9ec301d450bbd46e44d5b1091.apk
Detection ratio: 2 / 48
Analysis date: 2014-01-17 19:47:46 UTC ( 8 hours, 53 minutes ago )
0 1
 Analysis
 File detail
 Additional information
 Comments 0
 Votes
Antivirus Result Update
McAfee Artemis!8E3DCFF9EC30 20140117
McAfee-GW-Edition Artemis!8E3DCFF9EC30 20140117

No comments:

Post a Comment