This LuckyCat wont bring you any luck
Dell Sonicwall UTM research team received reports of a new prevalent Android Backdoor Trojan spreading in the wild. The Trojan when executed reads and writes to the file system, sends device information to a remote server and opens a backdoor. The backdoor allows the attacker remote access to the device while remaining undetected, thus bypassing the whole security mechanism of the android device.
The application requests the following permissions from the user:
- Read Phone State
- Access Internet and WiFi State
- Read owner Data
- Write to external storage
Upon installation the application sits on the device as testService. When clicked the application simply displays a message "Service Start Ok" and it appears to the user as being idle but performs malicious activities in the background.
Flow of the application
The flow of the applicaiton is as below:
A brief explanation of each of the critical components is discussed below:
- Command and Control
Among the components present in the code, two specific components give an indication of what the applicaiton does.
CMainControl contains the configuration, logic and the rules of how the applicaiton behaves on the victims device. It contains the following C&C (Command and Control) commands:
- AR_DIRBROSOW - Browse through the directories of the device
- AR_FILEDOWNLOAD - Download a file from the device
- AR_FILEUPLOAD - Upload a file on the device
- AR_ONLINEREPORT - Send some sort of report to the C&C about the device
- AR_REMOTESHELL - Spawn a remote shell which C&C can use to interact with the device
It has the following hardcoded C&C domain and port:
- Reporting module
The function mSendReport uses IP and phone number further in its reporting feature. This function adds a string ejsi2ksz into an array and appends the phone number and IP to it. Lastly it appends a number 369 at the end of this string.
- SIM state grabbing module
The applicaiton can capture and send SIM related information; this can be seen in the code below:
The table below translates the different states of the SIM which are identified
- Encryption mechanism
The applicaiton uses an encryption mechanism to encrypt the communication between itself and the server. It performs XOR using two specific values 0x5 and 0x27.
When we run the application after installation we simply see a "Service Start Ok" message. However in the background the applicaiton connects to greenfuns.332.org at port number 54321 sends back information about the device and listens for commands which may be issued by the server.
We intercepted the information which is sent by the application to the server and is as below:
Similar to what was discovered in the code, the applicaiton sends the phone number (15555215554) and the IP address (127.0.0.1) of the infected device. It appends the strings ejsi2ksz and 369 before and after the information.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV:Luckycat.A (Trojan)