Android turns into zombie: Analysis of the new virus "Viking Tribe"

Check Point's research team discovered a new Android virus in the Google Play Store and named it Viking Horde. This virus can perform ad fraud, DDoS attacks, send spam, etc. At least 5 apps have passed the virus scan of Google Play.

On both rooted and non-rooted devices, Viking Horde creates a botnet that uses proxied IP addresses to disguise ad clicks so the attacker can make money. A botnet is a group of devices controlled by a hacker without the device's users knowing. Depending on the computing power of the device, the "bots" can do a variety of things. The larger the botnet, the more it can do.

On rooted devices, Viking Horde is capable of delivering additional malicious payloads, allowing for remote arbitrary code execution, and it also exploits root privileges to make itself difficult to remove.

Horde Introduction

[[166304]]

The most downloaded app in the Viking Horde series is the Viking Jump app, which has been downloaded 50,000-100,000 times since it was uploaded to Google Play on April 15. In some markets, Viking Jump has even made it to the top of the Google Play free app charts.

The oldest application submitted was Wi-Fi Plus, which was submitted on March 29. Other applications included Memory Booster, Parrot Copter, and Simple 2048. All of the apps infected with Viking Horde had low ratings, which the research team speculated might be because users noticed its strange behavior, such as requesting root permissions.

The botnet created by the attackers is spread across countries around the world, and the Check Point research team obtained the distribution of its victims through data collected from a C&C server.

Source: Check Point Mobile Threat Research Team, May 6, 2016

How Viking Horde works

After studying the Viking Horde code and C&C server, the researchers drew a flowchart.

1. The virus is first downloaded from Google Play. When the app launches the game, it installs several components outside the app's directory. The names of these components are disguised as system-related names, such as core.bin, clib.so, android.bin and update.bin. If the device is not rooted, the components will be installed on the SD card, and if it is rooted, they will be installed in root/data. One of these files is used to exchange information between components. The other contains all the generated component names to facilitate other components to access them.

2. Next, the virus will check whether the device is rooted:

If so, the virus activates two additional components:

If the device is not rooted, the malware loads the app_exec file as a shared library and calls its functions through JNI (Java Native Interface, which allows Java code to run native binaries).

In either case, once the app_exec application is installed, it establishes a TCP connection with the C&C server and begins communicating. The communication includes the following instructions.

3. The next step is to execute the malicious function through an anonymous proxy connection. The C&C server will send a "create_proxy" command with two IP addresses and ports as parameters. These two IP addresses will be used to open two sockets, one for the remote server and one for the remote target. It will then read the data received by the first socket and transmit it to the target host. The virus developer can use this to hide his IP address.

Botnet activity

Even if the device is not rooted, Viking Horde turns it into a proxy capable of sending and receiving messages. Below is an infected device as seen from the attacker’s C&C server.

The remote end is the IP of the proxy, and the socks IP is the IP of the C&C server. The C&C server contains some information about the device, including the OS version, battery status, and GPS coordinates. In this case, the device is located in the United States and the carrier is T-Mobile.

Viking C&C Server

The botnet is controlled by many C&C servers, each of which manages hundreds of devices. The primary goal of the malware is to hijack the device and use it to simulate clicking on ads on websites to make money. The malware needs a proxy to bypass the anti-fraud mechanism of advertisers.

Some user reviews also say the app sends premium text messages, as shown in the screenshot. The botnet can be used for a variety of purposes, including DDoS attacks, sending spam, and delivering viruses.

Virus persistence

The virus uses several methods to stay on the system. First, the components installed by Viking Horde use system-specific names, making them difficult to locate and remove.

If the device is rooted, there are two mechanisms that can be used to prevent deletion:

The app_exec component monitors whether the main program exists . If the user uninstalls the main program, app_exec decrypts a component called com.android.security and installs it silently. This component is hidden and executed after the reboot.

The watchdog component will install updates for the app_exec component. If app_exec is deleted, watchdog will reinstall it from the update directory.

Apparently, some users have also noticed activity like this:

Additional components for rooted devices

Probably the most dangerous functionality is the update mechanism: app_exec downloads the latest binary from the server and stores it in the /data directory under the name app_exec_update.

Watchdog will periodically check if an update file exists and replace app_exec with it. This means that VikingHorde can download a new binary file based on the server's command. The watchdog component will replace the application with it. In this way, any remote code can be downloaded and executed on this device.

Appendix 1: app package name

 com.Jump.vikingJump
 com.esoft.wifiplus
 com.fa.simple2048
 com.android.wifiman
 Com.gospeed.memboost
 Com.faandroid.flyingcopters

Appendix 2: C&C Server List

 www[.]adautoexchange[.]com
 www[.]adexchng[.]com
 www[.]adexchnge[.]com
 www[.]adexchangetech[.]com

Appendix 3: SHA256 of the infected executable

 85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c
 254c1f16c8aa4c4c033e925b629d9a74ccb76ebf76204df7807b84a593f38dc0
 ebfef80c85264250b0e413f04d2fbf9e66f0e6fd6b955e281dba70d536139619
 10d9fdbe9ae31a290575263db76a56a601301f2c2089ac9d2581c9289a24998a
 a13abb024863dc770f7e3e5710435899d221400a1b405a8dd9fd12f62c4971de
 1dd08afbf8a9e5f101f7ea4550602c40d1050517abfff11aaeb9a90e1b2caea1
 e284a7329066e171c88c98be9118b2dce4e121b98aa418ae6232eaf5fd3ad521