Caution: Malware Pre-installed!

China's leading TV station, CCTV, has a long-standing tradition of marking World Consumer Rights Day on March 15 with its '315 Evening Party'. The annual show makes a song and dance about consumer rights violations. This year's party reported on cases where smartphone distribution channels pre-install malware into Android mobiles before selling them on to unwitting customers.

As the program showed, the malware pre-installed is called DataService:

208213029

And in another piece of news about this we found the md5 of this malware

208213030

This malware is detected by Kaspersky as Trojan.AndroidOS.Uupay.a. It isn't a standalone program. It works in conjunction with ordinary Android apps, meaning that most users know nothing about this until they are hit with an inflated phone bill. What does this "DataService" malware actually do? As reported, it can upload a lot of information like IMEI, MAC addresses, phone model, installed application list, etc. Also it can push a lot of ads and download the specific apps. Let's take a deeper look and verify these things from the code level.

First, for a general view, let's see AndroidManifest.xml unzipped from the malware apk, which presents essential information about the app. At a glance, we can see it really gains various sensitive permissions, some of which can cost you money and gain access to your sensitive information:

208213031

And some URLs also catch the eye:

208213032

Later we will explain how they are used.

After decompiling some variants of this malware we found they all contain packages with names like com.google.hfapservice and com.uucun.android.

208213034

Although it contains "google" in its name, the com.google.hfapservice has nothing to do with google and it can be used to download other apps in the background

208213035

And install them silently.

208213036

It uses the push service provided by Airpush

208213037

And runs a service to fetch and display the pushed advertisement

208213039

and download the pushed applications

208213040

It can also get various details from the mobile phone, including IMEI, MAC addresses, phone model, installed application list, etc.

208213041

Packages with the names like com.uucun.android also contain code for showing, downloading and installing advertisements or other applications in this package:

208213042

And collect information from the mobile phone

208213043

Before sending this to servers:

208213044

Using dynamic analysis we tracked the malware's network traffic and found it makes a request to http://******mall1.plat96.com/ to get the app list it needs to fetch

208213046

http://******mall1.plat96.com/ itself seems to be some kind of unofficial android market

208213047

We downloaded some APKs from the fetch list and all of them contain the same kind of malware as DataService.

Now we are clear about the main functionality of this DataService malware but this is not the end of the story. How can this malware be pre-installed into such a large number of brand new mobile phones? In the 'Evening Party' the CCTV reporter unraveled this mystery. The reporter found that a company calledGoohi, affiliated with the Datang Telecom Technology & Industry Group, provides an android application pre-installation service using a product called "Datang fairy artifact". Up to now, Goohi has more than 4,600 members in its pre-installation alliance. This alliance has installed more than 46 million applications and more than one million mobile phones are pre-installed with various applications every month.

208213048

What does this "fairy artifact" look like? Well, it is not a piece of artwork but a device like this

208213049

It is claimed that this device can automatically install every application it holds onto an Android mobile in just a few minutes. This menu of applications comes with a price tag, ranging from 10-50 US cents per installation.

208213050

By pre-installing the listed applications, members of the Goohi alliance can earn money from Goohi according to how much they install.

Furthermore, the applications pre-installed by Goohi were reported to steal users' private information. Goohi admitted this but claimed that they were only collecting statistical information like IMEI, Mac address, model and application list, and took nothing related to phone number, contact book and call logs. But we have found that Trojan-Spy.AndroidOS.Agent.k, which collects users' sensitive privacies, seems to have some connection with Goohi.

From the decompiled code we can see it really uploads users' call logs, trying twice in 30 seconds

208213051

And connects to 61.160.242.35

We can verify if the ip address is really related to Goohi simply by pinging www.goohi.cn

208213054

And we see exactly the same ip address we found in the malware.

Although CCTV exposed that DataService malware can be pre-installed into mobile phones and Goohi's "Datang fairy artifact" can be used for this aim it could not provide a clear link between them. But from the name "uucun" and a piece of news about uucun we can read that it has pre-installation channels that can pre-install onto more than 100 million mobile phones

208213055

This can only encourage us to guess at the pre-installation channel of the DataService malware.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *