My research team, in collaboration with NQ Mobile, has identified a new malware called TGLoader that piggybacks on several apps in alternative markets. This malware embedded the exploid root exploit to gain the root privilege. After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users. The malware also listens to remote C&C servers for further instructions. Specifically, one particular "phone-home" function supported in TGLoader is to retreive a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background. This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers.
To bootstrap its payloads, TGLoader adds a new service that does not exist in original apps.
This service will be automatically launched when the host app runs.
The following figure shows the difference of the manifest files between the original app
(left one) and the repackaged app (right one).
Upon the execution, it will copy all of its payloads, including native binaries and embedded apks
into the current directory.
In the meantime, it will also launch the exploid root exploit to elevate its privilege.
After getting the root privilege, it will copy enclosed native binary programs into the system
partition. One particular native program will connect to the remote C&C servers
with information collected in the infected phones and wait for instructions. As mentioned earlier,
we have identified four different C&C servers.
Based on the elevated root privilege, TGLoader will also install enclosed Android apps and start their execution. These installed apps co-ordinate with each other to perform malicious operations. One operation involves sending premium SMS messages in the background with the message content and destination number fetched from the C&C servers, hence causing financial loss to the victim.
Last modified: March 22, 2012