UPX packed ARM binaries.
Let’s take a closer look at unpacked .b file. Its internal structure and behaviour we can illustrate with the following figure.
Unpacked .ext.data file reads configuration commands from the file.
Afterwards create socket and waits for connection, when connection is established, .ext.data is waiting for incoming data from the client and executes this using /dev/ptmx root terminal.
The whole process could be illustrated with the following diagram:
So in all in all this application on the background drops downloaded packages, extracts binaries from them and tries to start them with root privileges on the device which clearly isn’t what an ordinary application would do. And these are the really malicious actions of this app.
From the research that has been carried out I’d like to mention that nowadays, malware creators produce more and more sophisticated pieces of software, embedding them into different packages which are targeted for specific devices and platforms. In this example, I wanted to show what a so called “clean” application might consist of, what it actually tries to do, and how well hidden the real motives can be.