Kaspersky announced that its researchers have found the most sophisticated Android malware which can be compared to Windows malware in terms of complexity.
![]()
![]()
After rebooting, the application starts doing its job. A new process is created (app_63) and lot of threads are spawn.
Later on, it communicates with the C&C ph4.xiaoyisy.com using port TCP/8080.
![]()
Four files are created in the filesystem:
OPBKEY_b4c5d457bf08ab4d2bb9c9cbf12bd68d4c9f
lastAccessTimes.db
opb_mark_recover.db (empty)
phone.db
Finally a JAR file is pulled from other server, xla.poticlas.com, through normal HTTP
![]()
The file downloaded, OPBUpdate_6000.jar, contains 3 more files. There is one APK file and one .DEX file.
bf26f9b2909c429af8d4876c8015a41633eb3d74 GloablBCServiceInfo.apk
95e6ad4c2bc9e6a29ea1f6d90d782be9971450bd OPBUpdate_6000_opbRelease.db
09d856882b205e1a8f6065334d8d0fa583666acb classes.dex
The APK and the DEX files are detected as malware as well.
![]()
![]()
Once GloablBCServiceInfo.apk is installed, process com.bc.android.core.bcservice is spawned, there are new HTTP connections to the C&C, but this time to a different subdomain: ph2.xiaoyisy.com.
Two additional modules are gathered
![]()
![]()
Those two modules can hook applications using SMS and can send SMS as well.
What we have so far:
C&C:
Dropper server
Files:
Calendar_1002.md f9b5e56e76c5eeea61f224279c756da4abb4d665
Idleinfo_4042.md c1152d2e8c005dad77b3dfac7e1e4cd785031bdc
OPBUpdate_6000.jar d47b0a190af5754625c7edf15d1ecddeae4c7108
classes.dex 09d856882b205e1a8f6065334d8d0fa583666acb
GloablBCServiceInfo.apk bf26f9b2909c429af8d4876c8015a41633eb3d74
To be continued..
Basically, the malware is able to infect the core Android Zygote process, which is the parent process of any application launched in Android. This means that potentially any application executed in the mobile might be infected. Also, it is very a modular malware and it has the ability to download and install additional modules, hence to perform absolutely anything in the compromise device
I have taken a look to a coupe of samples and there are few interesting points.
Sample b2c2f74772c5057451668f144191f8d7191e5f98dbc6b6533698af5aa2baabc8 was detected almost one month ago.
This sample did not work in two devices running Android 4.4 and Android 6.0.1 (although it is supposed that it should work with Android < 4.4.4). It perfectly worked in physical device running Android 2.3.7.
Note that the size of the application is only 100KB once installed.
The application doesn't execute after the installation, but only once the system has been rebooted. The application is not displayed the with the rest of applications. The application can't be stopped, only Uninstalled.
The application doesn't execute after the installation, but only once the system has been rebooted. The application is not displayed the with the rest of applications. The application can't be stopped, only Uninstalled.
<receiverandroid:name="com.android.system.AndroidReceiver"android:permission="android.permission.RECEIVE_BOOT_COMPLETED">
<intent-filterandroid:priority="2147483647">
<actionandroid:name="android.intent.action.BOOT_COMPLETED"/>
<actionandroid:name="com.android.system.guardianship.info.server.monitor"/>
<categoryandroid:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</receiver>
After rebooting, the application starts doing its job. A new process is created (app_63) and lot of threads are spawn.
1 | app_63 1569 1229 98192 21640 ffffffff afd0c76c S com.android.system.op.guardianship.server |
Later on, it communicates with the C&C ph4.xiaoyisy.com using port TCP/8080.
Four files are created in the filesystem:
OPBKEY_b4c5d457bf08ab4d2bb9c9cbf12bd68d4c9f
lastAccessTimes.db
opb_mark_recover.db (empty)
phone.db
Finally a JAR file is pulled from other server, xla.poticlas.com, through normal HTTP
The file downloaded, OPBUpdate_6000.jar, contains 3 more files. There is one APK file and one .DEX file.
bf26f9b2909c429af8d4876c8015a41633eb3d74 GloablBCServiceInfo.apk
95e6ad4c2bc9e6a29ea1f6d90d782be9971450bd OPBUpdate_6000_opbRelease.db
09d856882b205e1a8f6065334d8d0fa583666acb classes.dex
The APK and the DEX files are detected as malware as well.
Once GloablBCServiceInfo.apk is installed, process com.bc.android.core.bcservice is spawned, there are new HTTP connections to the C&C, but this time to a different subdomain: ph2.xiaoyisy.com.
Two additional modules are gathered
Those two modules can hook applications using SMS and can send SMS as well.
What we have so far:
- The malware doesn't run in devices running Android 4.4 and 6.0.1, so likely it only executes in devices with Android < 4.4
- The size of the malware is just around 100KB (once installed)
- The malware doesn't work automatically, but just only after rebooting.
- Also, it doesn't display the application, hence it hides from the system. No option to stop it. Only to remove it.
- It downloads several other modules and APK inside a .JAR file.
- The second APK, once installed, downloads several additional modules
- The C&C server are hosted in different subdomains. Some of the subdomains resolve to the same IP. This looks like kind of redundancy.
- The additional APK and modules are download from the same server.
Indicators
C&C:
ph1.xiaoyisy.com 103.20.249.203
ph2.xiaoyisy.com 103.20.249.203
ph3.xiaoyisy.com 103.6.223.226
ph4.xiaoyisy.com 103.6.223.226
Dropper server
xla.poticlas.com
Files:
Calendar_1002.md f9b5e56e76c5eeea61f224279c756da4abb4d665
Idleinfo_4042.md c1152d2e8c005dad77b3dfac7e1e4cd785031bdc
OPBUpdate_6000.jar d47b0a190af5754625c7edf15d1ecddeae4c7108
classes.dex 09d856882b205e1a8f6065334d8d0fa583666acb
GloablBCServiceInfo.apk bf26f9b2909c429af8d4876c8015a41633eb3d74
To be continued..