RottenSys 事件分析報告
責編:mhshi |2018-03-21 12:00:25近期,CheckPoint公司發布中國地區多款安卓手機被安裝了一個被命名為“RottenSys”的手機惡意推廣軟件,包括華為、三星、小米、OPPO、VIVO、金立等手機。
360安全團隊在進行相關技術分析后,確認“RottenSys”主要是通過一家名為“Tian Pai”的電話分銷平臺來進行傳播的,攻擊者在該環節上通過“刷機”或APP(再root)的方式,在手機到達用戶手中前,在目標上安裝部分RottenSys應用程序,從而達到感染傳播的效果。
“RottenSys”在感染了國內眾多安卓手機后,會偽裝成“系統WIFI服務”等應用,并通過不定期給用戶推送廣告或指定的APP來獲取利益,給安卓手機用戶造成了一定的困擾。
感染趨勢
360安全團隊對“RottenSys”進行進一步的分析跟進后,統計了2018年1月1日到2018年3月15日,感染量總計185,317,相關信息如下:
- 相關控制域名的活躍度(跨度1年)
技術分析
目前有如下4種和“RottenSys”相關的應用程序存在:
其中自稱系統Wi-Fi服務(com.android.services.securewifi)不會向用戶提供任何Wi-Fi相關服務,實際上它是一個“下載器”并與其控制(C&C)服務器通訊,接受下載指令實施推廣服務,具體細節如下:
1.偽裝成系統服務進程,該惡意軟件實際上為普通應用程序,由于大多數普通用戶很難對這樣的偽裝做出正確判斷,因此惡意軟件的存活也就變得顯而易見。
2.巨大的敏感權限列表,其中包括像靜默下載這樣的權限,使得用戶很難察覺到惡意軟件的更新、推廣。
3.使用開源框架MarsDaemon、廣播等手段保證自身服務長期存活,即使用戶在設備關機重啟之后,惡意軟件也會很容易的啟動起來。
4.推遲操作,當用戶中招后在較長一段時間內嘗試接收、推送彈窗廣告,避免讓用戶立刻感知到。
5.惡意模塊通過云端下載,并且使用開源的輕量級插件框架Small,它能隱秘的進行惡意模塊加載,并且模塊之間代碼不相互依賴,這使得惡意推廣變得更加靈活。
此外,360進一步分析對比了該樣本在2016和2017年的兩個版本。
- 2016年5月份的版本(7bb8f11feb360d2835317bb93f44ab69)
主要行為:
- 軟件啟動
- 拷貝(googleuz,busybox,debuggerd,debuggerd64,glesva,install_recovery,googlegs,googlesy,libsupol,sdk,googlesq)到FileDir并提權為777
- 調用googleuz可執行文件,創建并寫install.sh提權為777。
- 判斷手機是否已經root,如果沒有則執行install.sh腳本
其中install.sh:把所有釋放的文件替換到系統 sdk.apk:發送心跳包,檢查更新時間,關閉com.qihoo360.mobilesafe,私自下載sample.apk,私自安裝,卸載,彈通知欄 glesva.jar:與服務器通信,上傳手機設備信息,檢查更新,檢查自己簽名,檢查sdk.apk信息,確認hash,簽名等并執行 install_recovery:執行googlegs googlesq:監控釋放的文件是否被刪除,刪除則再寫入 googlegs:執行googlesq
- 2017年3月份的版本(8e87e9b22dcb1dd4d5f4d92cd3a33e96)
“df”, “rfg”, “bm”, “gcgdd”拼接成dfm.zip
dfm.zip結構
- 版本變化
- 隱藏了busybox、googlesy、install_recovery.sh、libsupol.so文件
- glesva.jar功能與gleac.jar功能一致
- C&C: 版本1:http://www.sdkrsdk.com:880/apiv1 版本2:http://www.uuyttrtf.com:880/apiv1
IOC
部分C2:
- hxxp://120.24.17.143:5683/
- hxxp://monaesr.com:5683/
- hxxp://secendtoday.com:5683/
- hxxp://diokiy.com:5681/
- hxxp://romanout.com:5681/
樣本:
com.system.service.zdsgt
- ce75af9762d86be8a22bb9257e6d364d
- a7cfa030add526171b8e1eba0e03c452
- d047bb92224a24f38bef31bd3a0c352c
- c5e06fef54e8578f2cd37f570e24bb87
- 4ec7ca787b88921ca259b8e549331dd9
- 81479477e0316f969073e3b51530e9f6
- 0fd73dd2c891019e74fb55dde0c44254
- ea3fa0741edc318fbd1edf4bfdea84ef
- 2e27befd3af85c0f3238bb53bf3f9bee
- b95f01f543c078b888acb7d325c38f4b
- 540db9b2778f7134ddc109edbce90d9b
- 22e42c5393cc149deefa8f5a0d569712
- 980effdf94b17e9839c426a0f5ffee8b
- c0a9480502849890fb5c0f69bfa35df1
- af0e718e7f0a4793b11b92ce8ce73113
- 7a955280a3c530286a290a54e544291a
- 7c6a22556300e72c3a5ad633d9538bf9
- c5bfaf599f21e3a8ca396fa5025643a0
- 89c2c78f76baeef1eb380dee335f396b
- 0a3d784dcdb1d9b4ed6b77df11b496c7
- 0d44cfc4defeb5f73e518a2551b5fa30
- 1e7498d2b952142942c2f86b4d59d4f7
- 87d9afc59f0dca0ccf4e656c618bfb7f
- dee3aae3f9aac17786ce2896a4fb0286
- 5607239550f52ccbea300aa59869bf0b
- 6bb8e5534b795f2cb2f8b8b1056a1656
- 0f2ab581d34cf706f050849a24e55cbd
- ce8c37535384af5b66191bc1d1aabb44
- 940b16197895e9305588af80faaee5a0
- 4ff0196c3952e3abf60d93354b36ad00
- 9a06b3c4c16806e45f37ba74dacfc1ea
- 7199b4aa6fbcd6019ea5138ac1b803f2
- 43d185d83781d43ca77b0dbf54ee320f
- 070d9e2179141778536bf6bcfab8ed60
- 315fdfbe720e213db83a6a28cbbe91c1
- 5b38d72a6f25591f4c61d963f4c6f91c
- 4c34e9769c322a2660ea8f20872fb02f
- dc057fed8c7a9fed2ee2e287ebf60a47
- cbc98e799b96b2853c35b66606b9fb45
- 9bc417c9dff751f756cba85bacc0a38c
- 9bfbdf114870f817f5b7ee73724cfa2c
- 17010e9cf44ee7d4dca776625c0b5845
- 4839b5ffdd8893bab3eba3b17773a0b1
- 058fd3d9d6a596a4fe4dcbf18f82f403
- 8ac815ec57fba3caf4cb6ce6754e3d8f
- c70f9327296359d4dc273d595b8cfeca
- a29b71e28fa4906fea8aa5c8423a2357
- c34822f85085470547728897ad7bc28a
- 50de1a4f08c1860b539c2a812ca6bdff
- da7ce60e09dfffcb0f9d712cab8cffc6
- 2b37e1e5b3ec942bf2954779de563635
com.android.yellowcalendarz
- 4c9d6f77922b58557e914e01aff45957
- 8adc64bb66432580e33e2b78fc2ffa71
com.changmi.launcher
- f08d9a65e8d65c2cc105337965e24802
- 6f14742294c6d15a772e9fbef93279a4
- 2af1678d715e36c800452d0bc6823b3c
- c1c14aa8b4356bbf27aeb8b347d267c4
- dfc477fc57f2ddf873dcae40658638bc
- 89c4d26c1d01a8fcb3e2d489bb665c56
- 32fe1828fe3b35a4a47ba48d364fc985
- 9edcc211bfc571724a4b67898fc04525
- ba303c3b2d196016eb4aa9052055e078
- bd6d04bd6badfc1169fafe9f675d9670
- d35a316d764a06a9de64b6ed891f75d2
- 4e0246792d0cccb7fef68dedff748c82
- f3330371c2eb6b7d9d243fe95d98f103
- 77a146dcd7701a7f01fdd512d0c2b01e
- 0f646b1eef2c77e8e4bfe93e34e5e8bd
- 5e0d79af85e4a13284fdb7a5dc4f7b12
- 6c2c033dbe67e55460df11e6c8594030
- 9025e64deefe7b6503024ca70734ff48
- 89e57d1054902b760421cfa9a5381c6c
- 460c589664a8f6c744ebcbe61016fa43
- d57d00dd346bed3ad4eeb7ccf56a40da
- a05e1e3f3d24fcacf42a90f2fbaa9a6d
- 7e4362cf77055c54ac0b528baf50317a
- fc30433d46f47bed00b546790cd32b36
- 635cb3f3cdec9b6c8b8e577e260bf7fd
- 9bf71f2f5bcd43a0f77496e6db93cdf4
- e750ff841dacabd982596469a83ff820
- 2aadaaae282770e2b0278a68f175ca65
- a8aa361ed3a2f514f1e43ea5be4d900a
- 5ceb54a3484e3551352413d6946f2890
- 862a9f6d7e60838ace14fd39f66c2e71
- d0f9372f9ecf63e8f2572fc39981fda3
- f7b39d07053ae847132a583020d72d09
- 05b890cb7817a1024736c6ce3dfba51c
- a1db1f3da3ae315254ee9c77478e7825
- 8d608dd8f6818830d8162f28fb485c2d
- 24b1ddcdf75b4d7b723eb4afe03d0ef2
- f3a8b46dbfdbcc1ed6052763e12761f3
- 6b885306935bac930ea718866aafc0ad
- ca98ba770af6eca6bacdff0d1d853ba8
- 1cc17548f5b81b9e786a59f62f4b5bab
- e2a3a6792aa299be1a5200234049f8e0
- 69943807eec08e5a5bddf169e21e0ba2
- 815447c373f4c9ebb143d04e41cbe23e
- 16d58d92a3cd3e863712b7c53460a8f2
- 4829b2d351dfde0131bfa05e7b0fd54b
- 0829f9adef28c9b929bcdb21f1c53227
- 0b7f08886e1e44c8ebef462b8ed7d7fd
- 03c55651b475d2c708fb8c186f571d0d
- f324804e8fe1804a2236a4b8dcbe44e5
- 269f386068ffc89621fd66c8fe17997f
- eb7d09a9427405b0c18a4d52541ccb07
- cceae35f028ddc28e44606eb3f45ad10
- aed30dc3b5e3dd18719cf25bb9ff3a88
- 5c3f57f58bf29f7c8efc1961a709ceab
- e071b478749cbfbc3c3d8c21c4d8d826
- b8d43cddee376c52dfb03cb376ab1891
- 75d48f07ec196282ad3d1941413c7c8a
- 2be51668ced318e329f801da4d133c66
- 60e8166bf7c273be133c54cd903e563c
- bcac62a81d92958e3daa25baca0cbeae
- 0e60bdbacbb05a7d6086bfe78d55272e
- 3b05f10301d5657df466c641d54e547a
- 2ee68b9e4c8d00acbe6510b147e3548a
- b711ed8c57d34ae5d0ae3b6c8f729659
- c8cb414aa1a1e706864f491b39c72f48
- 9a47c5f887507bfaf990bd78cc0b585c
- 9c53e46b696ed8e7c2b11e65615f1e13
- d82724cdc56f49c61de96be96fc7b76e
- 88471f83a4bab72ad53fd74d46526499
- 3e6534797d6720d7f94adbdab75ffb10
- ae4d9899ef877cc516e79dab3ed608da
- 5cec87e2564469e3fce3a194da3c0e36
- c86bd098c90de64157e9ab80b3520de5
- 9ba591ad1369bc91de259deaad437b0b
- 8c126e1f814bb9931c977fd7ad1d970d
- e09176fc63156f1d9aca0474a3536dba
- ee84e167c32f3b961f60fd5eb7e19e1c
- bdf9168d7e7cdfe90c0481fe19cb7b1c
- 55394ad65b47f0dfad6019d7496f04ce
- f6c35277891179aaa90bfd6c73331fb9
- ccd2810d6e408596ee6b29aa3fd9301a
- 9dec4275b66425c1a7a7997ed3b896f0
- 9181fce62cb1bcfe53f60507d64a897c
- ba36f04898a6d99439162d141846865d
- b9eeee33c511cd0af1d947ea0d5c40d0
- 1bdf628cefd07ba8e15e58827a42d12c
- 88bf7d99b8458008cb949be820c46c9c
- 632878c26e9d5b27bcc36c18d2d6a0bc
- 381a9d4e75dfaaf29cf4b045cbad6eed
- 0ff692e295c1763917562226db4cfb7e
- c039c6fdab4859ff36f3d3a1022c4655
- f0102dc996ae9dafe10dcb68a26e4171
- 9b55a7e41df442bd806b47c48d805a1c
- 0f58559701ef537f440faa2dd967233e
- c068b06ad9fa1174430cfbc159322901
- f04ff303f58629e70c66f8b8245d5c65
- c30f97b375703349cdf943bb8ca41014
- e2612270c4e546b16c3eeff0dbd24e70
- 54d054dca6c35d029ccb8e955b5247a5
- fd871532d8f63408e332dbbfd879d59e
- ededafb4931881e9ecd9ec278f3bdffa
- 123d670398cda1aa9ac9277e7c04dd6c
- ea5b700ec854278a65141e16655d148b
- df828431ab70be4755bae9ded93ad374
- 2761107e627d67c4c6abf0489d8d9d71
- be9eb0270ec4fa7c86685cc46e773dee
- 5d70d1d0193cd550d85d634f35432aa5
- cb065225577477ba40c93d16811c2ffd
- 98cc57609d794b2037c2776a1f38ca4b
- 4d66cd3d0fc188cb1b2bed23a630c0ea
- 31cc9dc8f97ebc81516865c37711ef32
- 524a58ff4c7db8874c6a96803ffef77f
- 9f22aee6b8634cb5d7ef2067969b4afa
- 15181164028e29df1d13d4f884d9a6fe
- 4c5ca7231104beddaa8e368ea425b0e5
- 795756363873931637cf340a93823deb
- 2c074ea67afbfb2df073e9fa87f786fe
- c9040451902ada46c8359ecc60bc2adf
- 1613182760a2e9c88f33b685b8f9df13
- a324745eb52c996e2a7e2c34fd87586a
- fa68402f4f901811574726a3893f45db
- 109170526606c7df443bb9083c279db5
- cc8f7564ec15495e60b72ed14a5bc145
- 27fb26672df4a2e45c9d017fc088b40d
- 18e02d55bd1b65bbe10496b759fffbcd
- 02dd1f0bafd38b986146a6493f43455e
- 8d09a78739f3298cf7488ea9cb4b9bf4
- 8727ddf831ec50988c5fdaa37040d3da
- b4e19c9a830bc95a6cdea8ee28d312a3
- aa22416a189f50d124ecdeae37f7fa94
- 206c4da5e7f85f149d0d917033184bb1
- 895420a3ba5d503bc6fbbbd6e8c1fcbd
- 7dc05f36c348b7ac4ac7f4150696edef
- 34953b402eaa09f009d69952e4c64b45
- 369076dc5ca9356919c0434bfc2742fd
- 7444c4470b60263eee78a53f58b296c3
- 36fc1f72a9a643fdb13079a028ac80df
- 71cc14167e9f78cb184fc349ae73c8c9
- 73e53a478c8f41f21f9398e7b8258ad5
- 77e7f55f87a877601a08b163946f217c
- 6b03c9c500713c4eea110fd809b63732
- 5e8107ad981791e8f4010322c9ca5978
- 4aecaa5a756c6cab01f76912a62fc570
- d75d358b546fec5102a2ab0da2e5c2e5
- 9179808633d3ab86555b0f41f0ec7be2
- dc0d9d5550a2f8fe4fa7210ca81b7e64
- eb853add32138c126540d6886bed5242
- 2b53a9bd0ed3ef9a2fc5eb82061e3f2d
- 7042959f4b2150d47d320fc0a99b6067
- 4df0e3627cbff3739ed3bfc14f52a0c8
- 12157841d4460f3f06263e69cc4f82c9
- 9859e11bb323b0fa2689bbddff746ca8
- a41b6ab8fbfaa2b0d31bd833b94c843d
- 5218c558f8f7207d78734dbbf483be18
- 0b9ee77e156ee25f171f97ac86390896
- 0757ed3eec6e76ea5c492d69954e2fca
- 367950cbe2047cb28a1acb1ae90ee79f
- 379eb84cb2b9f00e28412a3eb425e573
- 364f1e35e6242ccb045340b370d1711d
- 5b14a39be9500c6d2848c91683e11e2b
- 509ebe703b8222f4cfb7e0340d157091
- 54935fd9d294c9b75171f4144060842e
- d144d1526ff372a6c95be3b8a6bc5f6d
- 539ab7405c08aa20bfc2a18b6c501450
- 9a30cee0034e50cba39c4e072ae557ef
- 57d07d9de9150ba762c576310b77f4c6
- ea70804a3adca661a17f4f20e4c1e7da
- e72316eef66de7ddf4ae5e52625e4d73
- b6113fa346e961b7cb5a0f0c307a3d10
- 0958563f345a30005c3a90e57e3f13f8
- a1899c45bfe3d3a0d9e9659bbeb1a063
- b7c69de6d0171a2f0436d1740f8a2503
- 9256b67bac7e961220b535e018824ef1
- 53a24cb5690bb50ede84409af736ca03
- e1025b2c0bc9fb4660a029bf888547e7
- 6a44bb9640d53c055daf880ba4801eec
- 0e907c2942c0776db2a95facd2231408
- 2b366acac79d799db7062183db8c3d3e
- 1bfd3cf1cd317e7db657dcdcc28e822c
- 0e7c97f1ed9c2236951bb3161eb69cd2
- c7e6dae0f213d425a0cb38c980b8645e
- a51584e4b47c777e1680847f28426a33
- 0bbfb1262c09158a48379608e794271d
- c53618c045b5a7e70f30a050e24e81a3
- e28dc632352f197e04614c3b8c2e3d42
- a18d4cdc7f650811e13c0a1cd85438ca
- a10241e7c0c8212304476747310956fa
- 1e61114e4b7d4b8784237ce7f7ca0c15
- fdedadf831679945173bbfee25da2a0a
- b100579adea4aed86a28e34f9c43947b
- 05a603715e37e3b25d5a9029cdb3f3b4
- 5958d3a1cff4c7ba29050027be7237b0
- 9fba39d48db0b6e093f6dfc271ae54d7
- 1babf2a4802a09cd686bb3319e989b8b
- 00008578b673f6611421655c7459a109
- e647de1a5e871036fb37722514e51b41
- af1966db13817c0f49bd5716dfd91769
- e31b27b6fcd41bd3219a2749c8baa906
- 864dd9db7a91db72185b5404bd38cbb1
- 8fcf92fa42d715a7ea7d0c844546c4ce
- caba1801c9c1ab6ee007a3495624a001
- 1a920df12bf08ba85f92c32e50a68db1
- 07bf29975662fbac2778a3f6370633b7
- 49d26e11952ae0751d5bf7dbb73631bc
- 5808113836861beb3e1b3feb61448a97
- 98b382223385e8c957e2f5715d6f6018
- ee9011028effb0dc5f6dbf622b996221
- f8fa306a851490a0b50667184fefc1ca
- 668bd760f1ace1fd02128962afc14a2f
- 46302a431908b02f77e392d801e73ff7
- 72cfaef1ea31b2d027f120f17c00aacc
- 60f97906a14ab4d63df5cdefca8c511e
- 2b8c58ec5178d999effb632700d3045d
- dcd6a8ca38a354cf03f1647fd3aa337c
- dbf61e628be3f98c5062994262aa0e03
- 9f32b0fc9ecb761e876d2ddc9696859d
com.android.services.securewifi
- 91ce627a14fe0b3f5778d2e315dbac6e
- 42d25f8019d25ef17575d56f24402626
- 2d00de0dac22da60b513ff01542c428b
- 3e5f2ed2041fc3817a255b30c02413ce
- 8e87e9b22dcb1dd4d5f4d92cd3a33e96
- 5ac9ed142573832c3bc783cc5d5d05ef
- 71e3460660ce04ef38b2a7ff33b3e5bb
- d1eea920320efeedc878290dfeec9806
FAQ
Q:為什么有的廠商感染量這么高,是什么原因?
A:廠商被感染量的高低主要取決于該廠商在“Tian Pai”平臺的出貨量,比如近兩年某廠商在該平臺的出貨量一直都是比較高,所以它也成了“RottenSys”感染的一個重要占比。
Q:“RottenSys”通過什么途徑感染到目標設備的?
A:“RottenSys”的感染途徑重要主要有兩個方式。一種是物理接觸方式的目標安卓設備刷機行為,黑產者通過物理接觸直接變更目標系統。另一種是軟件方式的安裝APP和進一步root目標設備來進行“RottenSys”感染。
報告編號: B6-2018-031902
報告來源: 360-CERT
報告作者: 360烽火實驗室,360-CERT, 360NetLab, 360VulpeckerTeam
更新日期: 2018-03-19
參考
https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/
https://thehackernews.com/2018/03/android-botnet-malware.html
原文:https://cert.360.cn/report/detail?id=d16cf0e2a477d1f1013c7154ef4c2893