
UPX packed ARM binaries.
Let’s take a closer look at unpacked .b file. Its internal structure and behaviour we can illustrate with the following figure.
Unpacked .ext.data file reads configuration commands from the file.
Afterwards create socket and waits for connection, when connection is established, .ext.data is waiting for incoming data from the client and executes this using /dev/ptmx root terminal.
The whole process could be illustrated with the following diagram:
So in all in all this application on the background drops downloaded packages, extracts binaries from them and tries to start them with root privileges on the device which clearly isn’t what an ordinary application would do. And these are the really malicious actions of this app.
From the research that has been carried out I’d like to mention that nowadays, malware creators produce more and more sophisticated pieces of software, embedding them into different packages which are targeted for specific devices and platforms. In this example, I wanted to show what a so called “clean” application might consist of, what it actually tries to do, and how well hidden the real motives can be.
Can u please provide the source code of this malware…..
Hi Anand,
We’re afraid, we cannot provide the source code of the Shedun family.
Best,
István
Here’s an update on fairly recent variants of the same virus, which go unnoticed by most virus scanners still:
https://virusscan.jotti.org/en-US/filescanjob/6zhl0iyu88
https://www.virustotal.com/en/file/1be25672fc2f6fd20f6119a2d30186420e9ca313c5c95dddacf5ae0ba7d2cd68/analysis/1459633269/
https://www.virustotal.com/en/file/8041ccb430b2fcb86fc95f29fc9f10f6c52b80f5017aa79bb7a37fc1a13c768a/analysis/1459633320/
http://r.virscan.org/report/e5f919b3040085811e745084f8981055
https://andrototal.org/scan/result/JzT10BmqRN-TB7KIM_BbHw
https://andrototal.org/scan/result/07inzdF5RRuUYYJqzWoeYA
https://apkscan.nviso.be/report/show/b343552fd47fe87cb28662a4586531ab
https://apkscan.nviso.be/report/show/819810c73addf352e5372829f28a4c12
Good information, the big question is, How do i remove the malware?
Very good, can you upload the cn.engine.RootPerApi package or elaborate on how exactly does it root android?
Yes, sure.
Send me e-mail to: pavel.ponomariov@avira.com