Inject and wait for the result.
The spyware architecture is highly reliable on process-based parallelism. The shell code is injected after a fork() call, the child process will inject the shell code, execute it and exit. Meanwhile, the parent process will wait for the execution of the shell code for five seconds before returning. Given the code flow, we assess with medium confidence that the injected shell code takes the content of “/data/system/.0” as a parameter.
The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.
Overall injection flow.
Audio recordingThis spyware can record audio from different sources by several means. It can record from microphone, earpiece- and VOIP-based calls, using deep-level techniques like memcpy hooking inside audio-related processes, or more simply, creating a RECORD interface using the OpenSLES native library. This capability is spread across the two components and just like any other component it can be started from the Python environment loaded by PREDATOR.
Audio recorder command codes.
This capability's internal name is pc2. The screenshot above shows the preparation of the Python environment with the constants that will be used as commands between the ALIEN and PREDATOR modules. PREDATOR implements the native code that will be responsible for the communication with ALIEN, on one side, and exposes that code to the Python interpreter so it can be called from the tcore module.
ALIEN attempts to hook the following APIs in the audio libraries being used by a process. The APIs are hooked using the
xhook framework. These hooks are established to copy the source data served to the legitimate APIs into a buffer allocated and specified by the spyware.
Hooks created in audio libraries using xhook.
Another set of interception measures deployed by ALIEN includes the setting up of ioctl hooks and a recorder interface. These hooks intercept and identify the operations being carried out/requested by the recorder to copy data into locations defined by the spyware.
These mechanisms target the audioserver process on the device and are meant to essentially record audio from the VOIP and voice recording interfaces. Although the whole infrastructure to enable voice recording is set up by ALIEN, it is primarily operated by PREDATOR, which is responsible for issuing commands to either start or stop recording. This is yet another example of the close relationship between ALIEN and PREDATOR to carry out essential malicious activities on the infected devices.
Adding certificates to the storeThe spyware can also add certificates to the current user-trusted certificate authorities by writing the certificate authority’s (CA) public certificate to the path “/data/misc/user/0/cacerts-added”, as shown below.
Even though the spyware has high privileges, it doesn't attempt to add the certificates at the system level. That kind of operation could interfere with the normal functioning of the device. Some versions of Android would even require the remount of the filesystem with read-write permissions. If anything was to go wrong during TLS decryption at the system level, the device may become unstable, likely tipping off the victims. From an attacker’s perspective, the risks outweigh the reward, since with user-level certificates, the spyware can still perform TLS decryption on any communication within the browser.
Application hiding and preventing execution on rebootRead the contents in “/data/system/.0” and use that as input for establishing hooks in Android runtime (ART) using a custom version of the
YAHFA framework. The way that the hooking works is that ALIEN contains an embedded DEX file which is loaded using the InMemoryClassLoader() method.
Embedded DEX in ALIEN
The customized version inside the DEX contains, what seems to be a plugin, called “com.jnative.pluginshideapp”, which implements the methods mentioned below.
• getInstalledApplications
• getInstalledPackages
• queryIntentActivitiesInternal
• queryIntentReceiversInternal
Malicious plugins with Hooks defined for Package Manager APIs.
The DEX file thus uses these hooks for two key purposes:
• Hiding Applications/packages: The plugin in the DEX can hook and filter out a specific package/application
name from the list of installed packages and applications.
• Prevent execution on Reboot: The plugin can also hook and be used for filtering out specific names from the
list of packages/applications to be run when the BOOT_COMPLETED intent is received via broadcast.
Filtering of applications and packages based on their “packageName” field.
To filter the application/package lists for hiding or disabling them on reboot, the DEX file hooks the original API calls, replacing them with its own custom code. Every time a call is made to the hooked method, the custom code will check the destination list against its own list, removing any matches of application and package names it intends to hide. Filtering of the list is followed by the call to the original API with the filtered list now being used as its argument.
The code we analyzed only implements the BOOT_COMPLETED broadcast, which prevents an application from starting after reboot. This same method could be implemented for other broadcasts, modeling the behavior of other applications in the process. For example, it could do the same for the SMS_RECEIVED broadcast notification, preventing SMSs from reaching the user. This can be considered a more aggressive method of interception use instead of the more commonly used technique of installing an application that receives SMS_RECEIVED broadcasts with higher priority.
Get system informationThe spyware uses a variety of sources to gather information about the system. It will enumerate various directories on the file system and read multiple files to extract as much statically available data from the infected device.
Enumerating directoriesThe ALIEN implant will first get the device manufacturer name from the system property “ro.product.manufacturer”. It checks for specific manufacturers from a hardcoded list:
• Samsung
• Huawei
• Oppo
• Xiaomi
If any of these manufacturers' names match, it will recursively enumerate the contents of the following directories on disk:
Getting Configuration DataThe implant gathers configuration information, but it will also collect contacts, calls and messaging information by copying the content of the files listed below.
The implant will again check for the manufacturer names and then read data from the following files:
• /data/misc/wifi/.WifiConfigStore.xml
• /data/local/tmp/wd/WifiConfigStore.xml
• /data/data/com.android.providers.contacts/databases/contacts2.db-wal
• /data/data/com.android.providers.media/databases/contacts2.db-wal
• /data/data/com.android.providers.contacts/databases/contacts2.db-shm
• /data/data/com.android.providers.media/databases/contacts2.db-shm
• /data/data/com.android.providers.contacts/databases/contacts2.db
• /data/data/com.android.providers.media/databases/contacts2.db
• /data/data/com.android.providers.contacts/databases/calls.db-wal
• /data/data/com.android.providers.media/databases/calls.db-wal
• /data/data/com.android.providers.contacts/databases/calls.db-shm
• /data/data/com.android.providers.media/databases/calls.db-shm
• /data/data/com.android.providers.contacts/databases/calls.db-journal
• /data/data/com.android.providers.media/databases/calls.db-journal
• /data/data/com.android.providers.contacts/databases/calls.db
• /data/data/com.android.providers.media/databases/calls.db
• /data/data/com.android.providers.telephony/databases/mmssms.db-wal
• /data/data/com.android.providers.media/databases/mmssms.db-wal
• /data/data/com.android.providers.telephony/databases/mmssms.db-shm
• /data/data/com.android.providers.media/databases/mmssms.db-shm
• /data/data/com.android.providers.telephony/databases/mmssms.db
• /data/data/com.android.providers.media/databases/mmssms.db
The content obtained is then written to “/data/local/tmp/wd/”, before being exfiltrated. This can be considered a low-level method of collecting information. Spyware with fewer privileges on the system usually uses the Android framework API to collect such information. This method, however, requires user interaction to provide the necessary permissions.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free
here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try to Secure Email for free
here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as
Threat Defense Virtual,
Adaptive Security Appliance[/color], and
Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella
here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the
Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on
Snort.org.
IOCsIndicators of Compromise associated with this threat can be found
here.
source
