Tuesday, March 17, 2015

Remote administration trojan using Baidu Cloud Push service



I recently discovered a remote administration trojan (RAT), there is nothing interesting about it but what is is that it is the first one I saw that communicates with server through Baidu Cloud Push notifications.
Baidu Cloud Push service is similar to Google Cloud Messaging (GCM) it allows you to send data from your server to your users' Android-powered device, and also to receive messages from devices on the same connection. Looks like this trojan is the first one discovered using it this technique, unlike GCM that was first used in malicious applications in 2013 detected by Kaspersky lab.

It can completely take control over your device. Trojan is capable of recording audio from your microphone, send SMS, make phone calls, delete files, download files, obtain location etc. It can get all your personal informations including SMS, contacts, camera pictures and upload them to Baidu cloud storage (BCS).

I found and analyzed more variants, most of them act as a legal software, some of them were Trojanized version of applications. This malware is oriented mainly on Chinese and Korean speaking countries based on strings found inside and legal apps repacked with this Trojan.

Detection rate for this application isn't very high. First time it was uploaded to Virus Total it wasn't detected by any anti-malware company (FUD).


Fully undetectable (FUD)



To this day detection rate for this sample isn't improved. Malware is detected as Android/Cajino.A trojan.


Detection after 5 months



Another interesting fact is that this Trojan is still available for download from lot of third party Android application markets
First upload was from 18. 09. 2014 on a lot of third party markets by the same developer. All of his uploaded apps on all these markets are infected with this backdoor. This developer has developer account on Google Play, probably he tried to upload it to Google Play too.


Infected apps by Android/Cajino on third party stores
Infected applications


Download rate on two third party markets it has nearly 2400 downloads based on market download counters.

Most of applications uploaded on those markets are fake apps, few of them are infected with that Trojan. 




Code analysis



After launching, malware looks like regular application, where right after start, it requests you to update to new version.





But it doesn't matter whether you choose yes or no, because no update will be downloaded.
There isn't defined any functionality behind those buttons.


Update function not defined


In other cases there can be loaded app-name related URL in webview.
But that's all you can expect as user, other more suspicious behavior is behind curtain.

After start there is push registration binding service through the onCreate method in the MainActivity, and registered receiver handling these messages.


Receiver for processing the push messages


Class PushMessageReceiver takes care about messages received from server, but firstly is checks whether received message contains string "all" or unique identifier(IMEI) for device. Based on that are received commands executed on all bots or just one specified by IMEI.


First check




Trojan can respond to 11 commands received from server.
  • photo - uploads photo from your gallery
  • contact - uploads phone contacts
  • call_log - uploads call history
  • upload_message - uploads text messages
  • location - uploads location of the user's device
  • send_message - send text message
  • phone -uploads phone info including phone number
  • list_file -uploads file paths of files on external storage
  • upload_file - uploads file from device by path
  • delete_file -delete file by file path
  • download - download file
  • call_number - makes phone call
  • record - record microphone for designated period of time, and upload it
  • combine - combination of four commands (phone, contact, call_log, upload_message) commands





All of requested informations are first stored in file (/mnt/sdcard/DCIM/Camera/%file_name%) then uploaded to Baidu cloud storage (BCS) and removed from device.

I contacted the third party markets that still has this application available for download. I hope they will soon pull them off the market.



Sample info 

 

MD5:
39581735EE24D54F93C8C51D8C39B506
9342B4ECBB7EB045EDCDB6E0E339E415
5F385407A0E547F809AC4BE8B1119B04
B3814CA9E42681B32DAFE4A52E5BDA7A
9342B4ECBB7EB045EDCDB6E0E339E415


5 comments:

  1. Eset was the first one who discovered it ;)

    ReplyDelete
  2. I'm one of the victims .. i didn't downlaod any thing from third party .. However I got Baidu and LenovoReaper.. the Baidu Push service is sending me vulgar messages .. I would be very happy, if u could tell me how to get rid of these viruses. I'm using Trust Lock anti virus ..
    Thank you

    ReplyDelete
    Replies
    1. Hi, this malware was also available to download from Google Play not only third party stores. Try to scan you device once again by e.g. https://play.google.com/store/apps/details?id=com.eset.ems2.gp it should detect suspicious behavior.

      Delete
  3. Same issue with Baidu Bair Push and Lenovo Reaper. Eset does not detect either I need a fix.

    ReplyDelete