A Closer Look at ANDROIDOS_TIGERBOT.EVL
Mobile security researchers reported the emergence of an Android malware called Tigerbot. The said malware is actually an app called Spyera, which we detect as ANDROIDOS_TIGERBOT.EVL. The said app was found in third party Chinese app stores.
We tried to analyze this app to check if it is indeed malicious. Below are our findings:
When installed, ANDROIDOS_TIGERBOT.EVL shows a different icon, usually that of a legitimate application. Some malware use the same routine to trick users into thinking that it is a harmless file. The fact that Tigerbot uses the same installation routine raises questions on the intention of this application.
Tigerbot is controlled via either SMS or phone calls. It is capable of recording phone calls, tracking the device via GPS, or rebooting a device. Digging deeper into its routines, we found several commands that are of dubious nature:
- DEBUG – initially checks running processes and the configuration of the Spyera app, and connects to a URL to send check network status
- CHANGE_IAP – changes the phone’s APN (Access Point Name)
- PROCESS_LIST_ADD – adds a phone process name to a list (the list is used to kill processes)
- PROCESS_LIST_DELETE – deletes a phone process name that is in the list
- ACTIVE – activates the copy of Tigerbot
- DEACTIVE – deactivates the copy of Tigerbot
The above-listed capabilities can be maliciously used to send over private information to an attacker. These are among the reasons why we are detecting the application as malware.
The following details the 4 different command sets used by Tigerbot:
Command Set A
The following commands may be used by an attacker to gather information from the device:
|* *||DEBUG||Returns currently running process names, the current configuration,
and attempts to verify the Internet connection.
Upon receiving the DEBUG command, Tigerbot will:
- Immediately return the currently running process names. This gives us a way to identify the victim
- After 12 seconds, return the Tigerbot’s configuration if the copy is not yet activated
- After 20 seconds, check the network status by connecting to a URL and return network status to SMS sender
Command Set B
The following commands can still execute even if the device is not yet activated by the attacker:
|*0000*11*||CHANGE_IAP||Try connect to Internet by changing the phone’s APN|
|*[dddd]*15*[process name]||PROCESS_LIST_ADD||Add the process name to a list, that will be killed by Tigerbot|
|*[dddd]*16*[process name]||PROCESS_LIST_DELETE||Remove the process name from the list that will be killed by Tigerbot|
|*[key]*21*||ACTIVE||Activate this copy of Tigerbot with the specific key.|
Note: [dddd] means a 4-length digital string that is not 0000
When Tigerbot receives this command:
- It tries to connect to the network using APNs in res/xml/default_apns.xml
- Then it will return the network status with the SMS “Wifi is opening, cancel change apn.“, “Network change fail, not found useable AP, current AP: $ap” or “Network change to: $ap.”
PROCESS_LIST_ADD and PROCESS_LIST_DELETE
Analysis reveals that the two commands — PROCESS_LIST_ADD and PROCESS_LIST_DELETE — are designed to manage a list of process names, and that after every 5 minutes, Tigerbot will kill all of them. However, the code seems to be incomplete. It just restarts the package com.android.packageinstaller when the SDK version is less than 8 (Android 2.1 or below).
When Tigerbot receives the ACTIVE command it sends an HTTP POST to its backend server:
The value in POST body is encrypted and signed by a customized algorithm. It contains the IMEI, app key generated by native code, [key] in command, m=mA (to indicate it’s a activate request), timestamp, and signature.
Tigerbot also puts important information such as the URL and algorithms into a native code libpng.so, which makes it difficult to research the code.
Command Set C
We also find Tigerbot can be deactivated through a phone call:
When the command is called, Tigerbot will try to send an HTTP POST to its server. The value in POST body is encrypted and signed by the same algorithm used in ACTIVE command (see Figure 7). It contains the IMEI, app key generate by native code, [key] in command, m=mdeactive (to indicate it’s a deactivate request) timestamp, and signature.
Command Set D
Here is the last set of commands that Tigerbot is capable of executing, all of which still revolves around acquiring information about the device and its user.
|*[key]*13||UPLOAD_NETWORKINFO||Respond with GSMLocation or CDMALocation|
|*[key]*17*a*b||SEND_MSG_TO_TARGET||Sends SMS to A with content B|
|*[key]*19||RESTART_DEVICE||Restart the device|
|*[key]*22||CHANGE_SIM_NOTIFY_SWITCH||Turn on or off the notification if the SIM changed|
A quick way to determine if your phone has Tigerbot installed (most probably without your knowledge) is to send a DEBUG command to the phone. If it returns the process name list, then the owner is a victim of Tigerbot.
Tigerbot is a sophisticated application. It not only is remotely controllable via SMS, it can also be controlled by phone calls. And some important part of code put into a native library. In fact, there are some commands that we did not cover in this report.
If we were to describe the code, it appears that the application’s developer is not fully done with it yet. Some of the features are not yet complete. This leads us to think that we might see an updated version in the future.
For ways to protect your device from mobile threats such as Tigerbot, check our Mobile Threat Information Hub.
Post from: TrendLabs | Malware Blog – by Trend Micro