Security Alert: New TGLoader Android Malware Utilizes the Exploid Root Exploit

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

My research team, in collaboration with NQ Mobile, has identified a new malware called TGLoader that piggybacks on several apps in alternative markets. This malware embedded the exploid root exploit to gain the root privilege. After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users. The malware also listens to remote C&C servers for further instructions. Specifically, one particular "phone-home" function supported in TGLoader is to retreive a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background. This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers.

How it works

Based on our analysis, TGLoader repackages legitimate apps by enclosing its own malicious payloads in them. The sample we analyzed is a repackaged game app available in alternative Android Markets. In the following, we show a screenshot of the repackaged game app.

To bootstrap its payloads, TGLoader adds a new service that does not exist in original apps. This service will be automatically launched when the host app runs. The following figure shows the difference of the manifest files between the original app (left one) and the repackaged app (right one).

Upon the execution, it will copy all of its payloads, including native binaries and embedded apks into the current directory. In the meantime, it will also launch the exploid root exploit to elevate its privilege. After getting the root privilege, it will copy enclosed native binary programs into the system partition. One particular native program will connect to the remote C&C servers with information collected in the infected phones and wait for instructions. As mentioned earlier, we have identified four different C&C servers.

http://www.v******.com/tgloader-android
http://www.v*****.com/tgloader-android
http://www.v*****.com/tgloader-android
http://www.v******.com/tgloader-android

Based on the elevated root privilege, TGLoader will also install enclosed Android apps and start their execution. These installed apps co-ordinate with each other to perform malicious operations. One operation involves sending premium SMS messages in the background with the message content and destination number fetched from the C&C servers, hence causing financial loss to the victim.

Mitigation:

We found this malware in unofficial Android Markets. To the best of our knowledge, we do not find the threat in the official Android Market (now Google Play). For mitigation, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: March 22, 2012