In our previous post we were looking at the newly detected Trojan SpyDealer which is able to spy on more than 40 communication apps in your Android device. Let's have a look at the detailed technical analysis of this case today. (Credits: Palo Alto)
- Service Launching and Configuration:
After installed on an Android device, SpyDealer shows no application icon. However, it registers two broadcast receivers to listen for events related to the device booting up and network connection status. At the first launch, it retrieves configuration information from the local asset file named readme.txt. The first line of this file indicates the IP address of a remote C2 server, the second line configures what actions the malware can take on mobile networks, and the third line specifies what actions are allowed under a Wi-Fi network.
 |
| Fig 1. Content of the readme.txt |
SpyDealer uses two different rooting procedures to gain root (superuser) privilege. Rooting applications like this one are created for users who want to gain low-level access to their phone which wouldn’t be possible without removing some security protections. This is not the first time that Android malware has stolen root exploits from existing commercial rooting tools. SpyDealer 1.9.1 and 1.9.2 gain root privilege by abusing “Baidu Easy Root”.
The downloaded file “raw.zip” contains the exploits from “Baidu Easy Root” version 2.8.3. For example, 022d251cf509c2f0 is an executable binary file observed in the “raw.zip”, and the original file in “Baidu Easy Root” is actually in gzip format. It’s interesting that we can recover its original file name which is fb_mem_root.
 |
| Fig 2. Files in the downloaded raw.zip and Baidu Easy Root v2.8.3 |
SpyDealer is capable of receiving commands from remote servers via a number of different channels by either actively initiating connections to C2 servers or passively receiving instructions from C2 servers. These channels include via SMS, UDP and TCP connections. This section details how the malware utilizes each of these channels to communicate with the remote C2 servers.
SpyDealer registers a broadcast receiver with a higher priority than the default messaging app to listen for the commands via incoming SMS messages. The commands received through SMS are first decoded for further parsing and processing. Each SMS command contains a command index and arguments split by a newline. The command index ranges from 1 to 5 and each command is detailed in below table.
 |
| Fig 3. SMS Command List |
To get the geographical location based on the GSM cell information, SpyDealer takes advantage of the interface of Baidu map service. It first collects the GSM cell identity, area code and network operator and then posts the encoded data to the Baidu map service to retrieve the geographical location. With this tactic, a compromised device’s location is exposed to the attacker even there is no GPS available.
 |
| Fig 4. Utilize the interface of Baidu map service to get geographical location |
Besides the commands listed above, SpyDealer can also set the remote server’s IP address under the following two conditions:
- The length of the command index received in the SMS (Table 3) is larger than 4, then the command index is actually the remote server’s IP address
- The incoming SMS message body starts with the string “L112 ” which is followed by the remote server’s IP address
SpyDealer creates a TCP server on the compromised device listening at port 39568 and waits for incoming commands. The command format and description are listed below table:
 |
| Fig 5. Commands via TCP channel |
However, there is no authentication mechanism implemented before accepting the incoming commands, which means anyone can connect to a compromised device and control it as long as one knows the target device’s IP address.
SpyDealer can also actively connect to the remote server with the configured IP address to ask for commands through UDP or TCP. At first launch, the remote server’s IP address is retrieved from the local asset readme.txt, and the use of UDP or TCP protocols is determined based on another local asset named socket. The command data received by the client is encrypted by the server using Tiny Encryption Algorithm (TEA) Once the client receives a command, the malware decrypts the data.
 |
| Fig 6. TEA algorithm used to decrypt incoming comman |
As discussed in section Command & Control, we have seen this malware employ many mechanisms to collect private data. Additionally, with root privilege, SpyDealer also tries to gather data from more than 40 common apps falling in different categories including social, communication, browser, mobile mail client, etc. The targeted apps are listed in the below table:
List full of targeted apps
ID
|
Package Name
|
App Name
|
1
|
com.facebook.katana
|
Facebook
|
2
|
com.tencent.mm
|
WeChat
|
3
|
com.whatsapp
|
WhatsApp
|
4
|
com.skype.raider/com.skype.rover
|
Skype
|
5
|
jp.naver.line.android
|
Line
|
6
|
com.viber.voip
|
Viber
|
7
|
com.tencent.mobileqq
|
QQ
|
8
|
org.telegram.messenger
|
Telegram
|
9
|
com.alibaba.mobileim
|
Ali WangXin
|
10
|
kik.android
|
Kik
|
11
|
com.icq.mobile.client
|
icq video calls & chat
|
12
|
com.keechat.client
|
KeeChat Messenger
|
13
|
com.oovoo
|
ooVoo Video Call, Text & Voice
|
14
|
com.instanza.cocovoice
|
Coco
|
15
|
com.bbm
|
BBM
|
16
|
com.gtomato.talkbox
|
TalkBox Voice Messenger
|
17
|
com.rebelvox.voxer
|
Voxer Walkie Talkie Messenger
|
18
|
com.immomo.momo
|
MOMO
|
19
|
com.zing.zalo
|
Zalo
|
20
|
com.loudtalks
|
Zello PTT Walkie Talkie
|
21
|
com.duowan.mobile
|
手机YY
|
22
|
im.yixin
|
易信
|
23
|
cn.com.fetion
|
飞信
|
24
|
com.sgiggle.production
|
Tango
|
25
|
com.renren.mobile.android
|
人人
|
26
|
net.iaround
|
遇见
|
27
|
com.sina.weibo
|
Sina Weibo
|
28
|
com.tencent.WBlog
|
Tencent Weibo
|
29
|
org.mozilla.firefox
|
Firefox Browser
|
30
|
com.oupeng.browser
|
Oupeng Browser
|
31
|
com.android.browser
|
Android Native Browser
|
32
|
com.baidu.browser.apps
|
Baidu Browser
|
33
|
com.tencent.mtt
|
Tencent QQ Browser
|
34
|
com.lenovo.browser
|
Lenovo Browser
|
35
|
com.qihoo.browser
|
Qihoo Browser
|
36
|
com.taobao.taobao
|
Taobao
|
37
|
com.netease.mobimail
|
NetEase Mail
|
38
|
com.tencent.androidqqmail
|
Tencent QQ Mail
|
39
|
com.corp21cn.mail189
|
189 Mail
|
40
|
cn.cj.pe
|
139 Mail
|
41
|
com.baidu.netdisk
|
Baidu Net Disk
|
42
|
com.l
|
Smart Shopping List – Listonic
|
43
|
com.dewmobile.kuaiya
|
Zapya
|
44
|
com.funcity.taxi.passenger
|
Kuaidi Taxi
|
- Accessibility Service Abuse
An increasing number of apps encrypt data before storing it into databases, especially for some popular communication and social apps. App developers do this to protect user data from malicious attacks like this one. To avoid this obstacle, starting in version 1.9.3, SpyDealer implemented an extra accessibility service to steal plain messages by directly extracting texts from the screen.
 |
| Fig 7. Configuration of the accessibility service |
SpyDealer is capable of surveilling a compromised victim through multiple means including recording phone call and surrounding audio, recording video, taking photos, capturing screenshots, and monitoring geographical locations. It takes these actions based on commands it receives from the command and control channels described above.
- Record Phone Call and Surrounding Audio
SpyDealer registers a PhoneStateListener to monitor the phone call status. Once there is an active phone call, the audio recording procedure is triggered. The recorded audio data is finally compressed in zip format and stored to
/sdcard/.tmp/audio/<current_time_in_yyyyMMddHHmmss>_<phone_call_num><phone_call_ date>.zip
A message in the format “audio\n<IMSI>\n<IMEI>\n<zip_file_path>” will be sent to the remote server after audio is successfully recorded.
In addition to recording phone calls, SpyDealer is also capable of recording surrounding, ambient audio. It can be configured to record audio at a specific time range. The recorded audio file is stored to the following path in zip format
/sdcard/.tmp/environmentaudioaudio/<current_time_in_yyyyMMddHHmmss>.zip
Audio files recorded more than seven days ago are automatically deleted from the directory /sdcard/.tmp/environmentaudioaudio.
SpyDealer checks to see if the camera is available to record a video every three seconds. In the Android system, a preview surface is required to take a video, which means the user is aware of the video recording event. To avoid this, SpyDealer intentionally sets a very tiny preview surface which, in this case, is 3.0dip * 3.0dip in dimensions. Each video is recorded for 10 seconds and is finally stored to
/data/data/<package_name>/files/cameravideo/<current_time_in_yyyyMMddHHmmss>.zip
If a network connection is available, SpyDealer sends a message in the format “cameravideo\n<IMSI>\n<IMEI> \n<zip_file_path>” to the remote server.
 |
| Fig 8. A tiny surface view is defined for recording video silently |
Similar to recording video without a user’s awareness, this malware creates another tiny preview surface which is 0.100000024dip * 0.100000024dip in dimensions before taking a photo. Using the front or rear camera depends on the configuration which the attacker can set remotely. The taken photo is stored to
/data/data/<package_name>/files/camerapic/camera_<current_time_in_millseconds >.jpg
A message indicating a photo is taken is then sent to the remote server and the message is in the format “camerapic\n<IMSI>\n<IMEI>\n<picture_path>”.
- Monitor Geographic Location
SpyDealer dynamically registers a broadcast receiver listening for screen’s status. Whenever the screen is turned off, it tries to get the geographical location via GPS. At the same time, a location listener is registered to track the device’s location. This location listener is notified with the updated location every 10 seconds or whenever 100 meters of movement occurs between location updates. If a network connection is available, the location data will be sent to the remote server in the format
LGPS\n<IMEI>\n<IMSI>\n<longitude>\n<latitude>\n<current_time_in_yyyy-MM-dd hh:mm:ss>
However, the location data is saved locally if there is no network connection and will be uploaded later when the connection is restored.
Conclusion:
SpyDealer makes use of the commercial rooting app “Baidu Easy Root” to gain root privilege and maintain persistence on the compromised device. It employs a wide array of mechanisms to steal private information. At the same time, it accesses and exfiltrates sensitive data from more than 40 different popular apps with root privilege. With accessibility service, this malware is also capable of extracting plain text messages from target apps at real time. To remotely control the victim device, the malware implements three different C2 channels and support more than 50 commands.
