Android turns into zombie: Analysis of the new virus "Viking Tribe"

Android turns into zombie: Analysis of the new virus "Viking Tribe"

Check Point's research team discovered a new Android virus in the Google Play Store and named it Viking Horde. This virus can perform ad fraud, DDoS attacks, send spam, etc. At least 5 apps have passed the virus scan of Google Play.

On both rooted and non-rooted devices, Viking Horde creates a botnet that uses proxied IP addresses to disguise ad clicks so the attacker can make money. A botnet is a group of devices controlled by a hacker without the device's users knowing. Depending on the computing power of the device, the "bots" can do a variety of things. The larger the botnet, the more it can do.

On rooted devices, Viking Horde is capable of delivering additional malicious payloads, allowing for remote arbitrary code execution, and it also exploits root privileges to make itself difficult to remove.

Horde Introduction

[[166304]]

The most downloaded app in the Viking Horde series is the Viking Jump app, which has been downloaded 50,000-100,000 times since it was uploaded to Google Play on April 15. In some markets, Viking Jump has even made it to the top of the Google Play free app charts.

The oldest application submitted was Wi-Fi Plus, which was submitted on March 29. Other applications included Memory Booster, Parrot Copter, and Simple 2048. All of the apps infected with Viking Horde had low ratings, which the research team speculated might be because users noticed its strange behavior, such as requesting root permissions.

The botnet created by the attackers is spread across countries around the world, and the Check Point research team obtained the distribution of its victims through data collected from a C&C server.

Source: Check Point Mobile Threat Research Team, May 6, 2016

How Viking Horde works

After studying the Viking Horde code and C&C server, the researchers drew a flowchart.

1. The virus is first downloaded from Google Play. When the app launches the game, it installs several components outside the app's directory. The names of these components are disguised as system-related names, such as core.bin, clib.so, android.bin and update.bin. If the device is not rooted, the components will be installed on the SD card, and if it is rooted, they will be installed in root/data. One of these files is used to exchange information between components. The other contains all the generated component names to facilitate other components to access them.

2. Next, the virus will check whether the device is rooted:

If so, the virus activates two additional components:

app_exec. Implements the communication protocol with the server

app_exec_watch_dog implements updates and system pings. Watchdog monitors the app_exec process and restarts it if necessary.


If the device is not rooted, the malware loads the app_exec file as a shared library and calls its functions through JNI (Java Native Interface, which allows Java code to run native binaries).

In either case, once the app_exec application is installed, it establishes a TCP connection with the C&C server and begins communicating. The communication includes the following instructions.

Ping. Every 10 seconds the application sends 5 bytes to the server. Likewise, the server replies with 5 bytes.

Update device information: Send remaining battery, connection type, and mobile phone number to the server.


3. The next step is to execute the malicious function through an anonymous proxy connection. The C&C server will send a "create_proxy" command with two IP addresses and ports as parameters. These two IP addresses will be used to open two sockets, one for the remote server and one for the remote target. It will then read the data received by the first socket and transmit it to the target host. The virus developer can use this to hide his IP address.

Botnet activity

Even if the device is not rooted, Viking Horde turns it into a proxy capable of sending and receiving messages. Below is an infected device as seen from the attacker’s C&C server.

The remote end is the IP of the proxy, and the socks IP is the IP of the C&C server. The C&C server contains some information about the device, including the OS version, battery status, and GPS coordinates. In this case, the device is located in the United States and the carrier is T-Mobile.

Viking C&C Server

The botnet is controlled by many C&C servers, each of which manages hundreds of devices. The primary goal of the malware is to hijack the device and use it to simulate clicking on ads on websites to make money. The malware needs a proxy to bypass the anti-fraud mechanism of advertisers.

Some user reviews also say the app sends premium text messages, as shown in the screenshot. The botnet can be used for a variety of purposes, including DDoS attacks, sending spam, and delivering viruses.

Virus persistence

The virus uses several methods to stay on the system. First, the components installed by Viking Horde use system-specific names, making them difficult to locate and remove.

If the device is rooted, there are two mechanisms that can be used to prevent deletion:

The app_exec component monitors whether the main program exists . If the user uninstalls the main program, app_exec decrypts a component called com.android.security and installs it silently. This component is hidden and executed after the reboot.

The watchdog component will install updates for the app_exec component. If app_exec is deleted, watchdog will reinstall it from the update directory.

Apparently, some users have also noticed activity like this:

Additional components for rooted devices

Probably the most dangerous functionality is the update mechanism: app_exec downloads the latest binary from the server and stores it in the /data directory under the name app_exec_update.

Watchdog will periodically check if an update file exists and replace app_exec with it. This means that VikingHorde can download a new binary file based on the server's command. The watchdog component will replace the application with it. In this way, any remote code can be downloaded and executed on this device.

Appendix 1: app package name

  1. com.Jump.vikingJump
  2. com.esoft.wifiplus
  3. com.fa.simple2048
  4. com.android.wifiman
  5. Com.gospeed.memboost
  6. Com.faandroid.flyingcopters

Appendix 2: C&C Server List

  1. www[.]adautoexchange[.]com
  2. www[.]adexchng[.]com
  3. www[.]adexchnge[.]com
  4. www[.]adexchangetech[.]com

Appendix 3: SHA256 of the infected executable

  1. 85e6d5b3569e5b22a16245215a2f31df1ea3a1eb4d53b4c286a6ad2a46517b0c
  2. 254c1f16c8aa4c4c033e925b629d9a74ccb76ebf76204df7807b84a593f38dc0
  3. ebfef80c85264250b0e413f04d2fbf9e66f0e6fd6b955e281dba70d536139619
  4. 10d9fdbe9ae31a290575263db76a56a601301f2c2089ac9d2581c9289a24998a
  5. a13abb024863dc770f7e3e5710435899d221400a1b405a8dd9fd12f62c4971de
  6. 1dd08afbf8a9e5f101f7ea4550602c40d1050517abfff11aaeb9a90e1b2caea1
  7. e284a7329066e171c88c98be9118b2dce4e121b98aa418ae6232eaf5fd3ad521

<<:  Who has been the winner in life in the past few days?

>>:  Nine blogs worth following for hybrid mobile app developers - Mobile Development Technology Weekly

Recommend

Lizard Squad: Microsoft and Sony are idiots

[[125262]] For many gamers, this Christmas was a ...

How to choose Wenchang Tower?

1. First of all, the jade Wenchang Tower has the ...

How much does it cost to develop a Jixi Rubber and Plastic Mini Program?

What is the investment cost of Jixi Rubber and Pl...

How to establish a membership operation system?

In a broad sense, all manual interventions around...

These "grapes" are free, but they can cost you your life!

In nature, there are many kinds of grapes that ar...

Pinduoduo’s suicidal PR and H&H’s “brand failure theory”

On the first working day of 2021, Pinduoduo contr...

iOS 12.3 released to support AirPlay 2-enabled TVs

After six rounds of beta testing, Apple finally r...