Security Alert: AnserverBot, New Sophisticated Android Bot Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Update: on 09/25/2011, we finished analyzing this particular malware. The full report can be downloaded here (17 pages)

Most recently, my research team in collaboration with NQ Mobile has identified AnserverBot, which is believed to be one of the most sophisticated bot program infecting Android devices. This particular bot piggybacks on legitimate apps and communicates with remote C&C servers for further instructions. Based on our current investigation, AnserverBot is being injected into a number of (20+) legitimate apps, which are then distributed in alternative Android markets in China. Different from earlier ones with bot capabilities such as Pjapps and BaseBridge, this bot program exploits several techniques, including deep code obfuscating and (Plankton-like) dynamical code loading to thwart reverse engineering efforts as well as anti-tampering to protect itself. To the best of our knowledge, this is indeed one of the most sophisticated bot program on Android we have ever seen to date.

How it works

1. Installing the payload

When an infected host app is launched, it will display a fake upgrade dialog to lure the user to install a hidden payload (we call it payload A). Payload A is essentially a bot program that runs silently in the background without showing any icon in the home screen after the installation. With that, the bot program can continue to run even if the host app is removed from the phone. This particular mechanism is similar with the one used in earlier BaseBridge variants.

2. Executing the payload

Besides payload A, there is another hidden payload (we call it payload B) in the host app. Different from payload A, this payload will not be actually instaled on the phone. Instead, it will be dynamically loaded and executed by either the host app or the payload A at runtime. In essence, it exploits the dynamical loading capability of Dalvik virtual machine and follows the similar behaviors observed in the earlier Plankton spyware. However, AnserverBot makes one step further by encrypting all method names that will be invoked, making it even harder for analysis and detection. Moreover, the payload B will also be remotely feteched and dynamically loaded (See "Phoning homes").

3. Phoning homes & Fetching payloads

When it is running, AnserverBot communicates with remote C&C servers periodically (once every two hours) to retrieve the commands. AnserverBot supports two types or more precisely two levels of C&C servers. The first level C&C server is an (encrypted) public blog, which is used to store the URLs of second level C&C servers and the new versions of payload B. Specifically, when it connects to the particular blog entry, the contents of this entry is decrypted by AnserverBot to uncover the URL of second level C&C server. Then it will connect to the second level C&C server to retrieve the commands. This is rather interesting as it is the first one in Android malware history that uses public blogs as the C&C servers to send out commands. Our analysis so far successfully recovers 9 different versions of payload B posted in the last two months, which indicates the rapid evolution of this malware.

4. Protecting itself

Our analysis shows that the AnserverBot's author takes proactive measures to protect the infected apk from being reverse engineered and "re-packaged." Specifically,

Mitigation

We detected AnserverBot in unofficial Chinese Android markets. To the best our knowledge, we do not find the threat in the official Android Market. For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: September 25th, 2011