Retailers are taking advantage of the portable computing power of smartphones to lure possible customers with location-aware deals, such as coupons. Recently, my research team, in collaboration with NQ Mobile, discovered a Trojaned coupon app on an alternative Chinese app market. The malware it contains makes the app offer more than just a menu of coupons: DroidCoupon roots vulnerable phones, then installs and runs apps on the device, while uninstalling other packages -- without asking for user consent.
Infected apps register a number of hooks designed to start the malware's main service. These hooks will be activated when the app runs or various system events occur (such as the device booting up). Once started, the malware contacts a remote C&C server (http://a.xxxxxxx-inc.net:9000), providing it with the device's IMEI number and subscriber ID. Subsequently DroidCoupon receives instructions from this server to either download and install additional packages or remove others.
DroidCoupon maintains a SQLite database to track the status of the device. This database contains records for the packages to be installed and removed, and is kept in sync by subscribing to the android.intent.action.PACKAGE_ADDED and android.intent.action.PACKAGE_REMOVED events. Every package installed or removed from the device is also recorded, though this information does not leave the device in the samples we have encountered.
In order to install and remove packages without the users' knowledge or consent, the malware contains the "RageAgainstTheCage" root exploit. This exploit, effective against Android 2.2 and earlier, is launched on demand on vulnerable devices. By successfully escalating its privilege to root, the malware can then invoke the package manager utility to install and remove packages.
To conceal its nature, DroidCoupon employs certain obfuscation techniques. For example, the "RageAgainstTheCage" exploit code is masked as a picture and unpacked as needed. In addition, the malware will disguise many suspicious strings as integer arrays. These strings include the ones used to build command-line invocations used during the rooting process (shown above) as well as the URL of the remote C&C server, among others.
Once a package has been installed by DroidCoupon, it is invoked by the malware. Part of the installation command record includes how to start the installed package, either as an Activity that is visible to the user or as a background Service.
Last modified: September 16th, 2011