SHA1 hashes:
- 8399c41b0d24c30391d7fba6b634ba29c0440007 (/system/xbin/wd)
- ccf8c0cb83160a20fa4c89b028fb63884f7b6a86 (decrypted payload)
Description
This is a component of the malicious backdoor Android.Vo1d, which was detected in the system storage area of a number of Android-based TV box models. Its functionality includes:
- Decrypting the payload;
- Decrypting and launching a daemon;
- Downloading and running binary files from target URLs;
- Installing and running apps.
Operating routine
Decrypting the payload
The Android.Vo1d.3 decrypts an intermediate object from its body. This object is then loaded into the RAM. It uses the XXTEA algorithm with the key fPNH830ES23QOPIM*&S955(2WR@L*&GF to decrypt this payload.
Launching the daemon
Android.Vo1d.3 decrypts the Android.Vo1d.5 daemon from the previously decrypted payload. For this, it uses the XXTEA algorithm with the key d99202373076ee9ec1d3df1dfa5afe1f. The resulting file is copied to /data/google/daemon and then launched.
Installing and running apps
Android.Vo1d.3 uses Inotify (a Linux kernel subsystem) to monitor the emergence of new files in the following directories:
- /data/google/
- /data/data/com.goog1e.apps/
The APK program files detected in these directories are installed using the command pm install –user.
Next, the command am start start -n com.google.android.services/.MainActivity is used to run these apps.
More details on Android.Vo1d.5
