How to check for a root access in three ways (plus a C&C demo!)

Recently I have found a sample of DroidJack, which is somehow the same as Sandrorat described previously. Well, it is probably created by the same author or at least on the same code base. What leads me to that conclusion? Well, see it for yourself in the screenshot below.



How does the DroidJack C&C look like? I've found this little GIF demo in one of the DroidJack ads (if you haven't seen it already this means that you don't follow me on Twitter and you should):


So, the pretty much standard stuff for the more complex Android malware: you can do everything and get a "binder" i.e. program that lets you add DroidJack "features" to the benign apps. What else did the author of DroidJack and Sandrorat made? This app available in Play Store that is a kind of Sandrorat in reverse - you can use a mobile phone to "control" your computer.

Checking for root in three ways

Enough about the authors, let's go to the main point of this post. I find a way that DroidJack checks for the root permissions on the device rather interesting. Important note is that this malware does not depend on the root permissions, it just checks if it has them. And, as you probably know, if you have rooted your phone and you have given root permissions to any suspicious app, you're most certainly fucked.

First way of checking if the phone is rooted is the usual checking of the su availability using which command. Nothing too fancy, as you can see on a screenshot below.


Next up is a not-so-common checking for the Superuser.apk application. Pictured in the screenshot below.

Finally, something that I see for the first time. Checking if the build is signed with test-keys. This is a popular way of signing custom ROMs and, presumably, if you have a custom ROM, you most likely also rooted your phone. While this may be a kind of bet, it's fair to say that it's a safe one.


I'll try to look at this DroidJack sample a little more. Meanwhile, let's play "The Price is Right"! What do you think this piece of malware cost? $20? $50? Surely not over a $100, right? Have a look at the illustrated answer below.


And for that little price it stays with you for the eternity...

Comments

Post a Comment

Popular posts from this blog

Having fun with AndroidManifest.xml

Image
Before w will get back to Sandrorat let's have some fun. It's weekend after all, or rather it was weekend when I wrote this post. Everyone that ever tried to see the insides of the APK file knows what's an AndroidManifest.xml file is. Some even know that, inside the APK, it's not a real XML, but rather a compressed, binary form of an original XML. This compressed form was first abused in the Android.OBAD malware . Compressed form of an XML differs with the real XML in at least one key aspect, hidden in the String Pool. Let's have a look at a compressed AndroidManifest.xml file of the previously mentioned Sandrorat sample and see if we can do something interesting with it. If you want to skip directly to the fun part, just ignore the next section.
Read more

Android malware based on SMS encryption and with KitKat support

Image
Most of the malware based on the SMS C&C communication channel is not compatible with Android 4.4 KitKat. This is due to the fact that KitKat introduced a concept of one messaging app, which all other apps had to go trough before they send or handle a received text message. This prevented malware from hiding received short messages or sending without saving them in the "Sent" folder. Well, it wasn't hard to predict that this state of affairs wouldn't last long and that malware authors would eventually catch up. Malware described here not only supports KitKat, but also uses an open-source SMS encryption tool  as a basis for its code. Let's have a look at the insides of the new sample (hash: 84e2e9e8430792b583d02d3cc1bf8535 ) and let's call it SmsSecure, just for the sake of brevity.
Read more

Sandroid RAT analysis: Part I - synthetic communication

Image
My first post is about Sandrorat, a fairly new RAT tool that was prominent for being a part of a Polish spam campaign . The analyzed sample hash is bed05d8eace6a7ebc5dec7141ea4b9cc559f1b2aab8848e2c79df7a79de39b9d . Sample was obtained thanks to The Honeynet Project . Everything is synthetic First part will be about a little known synthetic methods and the way Sandrorat uses them to obfuscate the code . This sample declared three different services:
Read more