SHA1 hashes:
- ed975255eba30345de74936e24b9b3090f26ed7e (/data/google/daemon)
- 182939085a9aa1d6f0e60da31b200cd644522748 (a decrypted payload)
Description
This is a component of the malicious backdoor Android.Vo1d, which was detected in the system storage area of a number of Android-based TV box models. It is a daemon that performs various tasks on infected devices. Its functionality includes:
- Decrypting the payload;
- Communicating with the C&C server;
- Downloading APK files (presumably);
- Downloading and running native libraries.
Operating routine
Decrypting the payload
Android.Vo1d.5 extracts and decrypts a payload from itself, using the XXTEA algorithm with the key fPNH830ES23QOPIM*&S955(2WR@L*&GF. The decrypted object—the main Android.Vo1d.5 body—is loaded into the RAM.
Communicating with the C&C server
Via a POST request, Android.Vo1d.5 contacts the C&C server whose address is taken from a preassigned list. By default, the list has only a single address hxxp[:]//meiboot[.]com/api/config.
The request format is as follows:
| POST | hxxp[:]//meiboot[.]com/api/config |
|---|---|
| User-Agent | curl/7.64.0 |
| Accept | */* |
| Content-Type | application/json;charset=UTF-8 |
An example of a request:
{
"a": "32",
"m": "debuggerd-11236.0",
"s": "10",
"u": "a1d4f55f6be3d743497fadee1d574b3357029c25"
}
where:
- a — is a constant;
- m — is a field that contains a string with information about the trojan’s process name as well as its pid and uid in <process_name>-<pid>.<uid> format;
- s — is a constant;
- u — is a session key that will encrypt the u and d fields (the latter is an URL) in responses from the server (these responses are described below).
The server responds with a JSON in one of several formats.
An example of response #1:
{
"code": "200",
"msg": [
{
"i": "",
"v": "",
"a": "",
"u": ""
},
{ ... }
]
}
where:
- i — is the identifier of the loaded file;
- v — is the identifier of the loaded file’s version;
- a — is the request code;
- u — is a link (encrypted with XXTEA) for downloading the file.
This response contains the list of commands that the trojan needs to execute.
Possible commands that can be issued by the C&C server:
- 1 — download a file from the URL specified in the field u and put it in /data/system/users/.v/<id1>.<id2>;
- 2 — re-download the file specified in the id i;
- 3 — delete the file specified in the id i;
- 4 — download the file from the specified URL and put it in the table, using the id i;
- 5 — place the file in the table, using the id i.
The table above is a list of downloaded files, which the daemon goes through in another thread. Then it decrypts the downloaded files and puts the decrypted variants into one of the following directories:
- /data/system/android.hardware.support@<id>.0.so (for Android API below version 29);
- <prefix>/lib/arm/libsupport@<id>.0.so
Next, Android.Vo1d.5 launches these files by calling the function init in the .SO files.
An example of response #2:
{
"code": "200",
"msg": {
"i": "",
"d": [
"url_1",
"url_2",
"...",
"url_n"
]
}
}
where:
- i — the interval between server requests;
- d — the list of C&C server addresses. Each string in this list is encrypted with the XXTEA algorithm, using the session key from the request.
This command is used to add more C&C server addresses for the daemon to communicate with.
Replenishing the C&C server address list locally
If Android.Vo1d.5 is unable to connect to any of the servers listed in the address table, the trojan generates several addresses on its own using the following scheme:
| Server address | Domain | |
|---|---|---|
| 0a597f79d876441d | . | com |
| 57fd438a26874780 | xyz | |
| 1e93c45d9b414092 | top | |
| 111a2e0d676a4e94 | net |
Android.Vo1d.5 uses a random server address, adds a random domain to it, and then tries to connect to the address it generated. The trojan’s authors likely planned to register such addresses so that the daemons could continue operating if any C&C server addresses got blocked.
Artifacts
The Android.Vo1d.5 daemon contains the following strings:
- C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/server.c
- C:/Users/dazhi/Desktop/dynamicbox/libsdk/external/libserver/record_stream.c
