Chinese ad firm pwns Android users, creates hijackable global botnet

Horrid marketing outfit roots user phones, exposes devices to malware hell

A Chinese advertising company has infected and 'completely' hijacked likely hundreds of thousands of Android handsets with an attack so careless it exposes a global botnet to easy hijacking and opens handsets to total compromise by any malware.

FireEye (yet again, these guys need to get some sleep) researchers Yulong Zhang, Zhaofeng Chen, and Yong Kang say Chinese marketing company Xinyinhe which promotes itself as a big player in the app advertising game is behind the attack.

They didn't tag the number of infected devices, but Xinyinhe claims to have 'customers' in 50 countries and be valued as of November at $100 million after it received some $20 million in seed funding in 2013.

FireEye has been asked for the number of infected victims.

The trio say the attack builds its network of customers by tricking them to install malware that gains root access on some 308 different handsets running virtually all versions of the Android operating system from Gingerbread (2.3.4) to the lastest stable Lollipop (5.1.1) build.

These victims are enslaved into a "very large" global botnet that, incredibly, uses plain text for command and control communications allowing "anyone" to hijack it.

Infection process

Infection process

Once infected the malware will install legitimate but booby trapped applications without user consent, automatically clicking installation and permission warning prompts.

It installs a backdoor and maintains persistence on devices, and opens its attack vector to compromise by third party malware.

Xinyinhe cannot be reached for comment as it has taken down its site and another linked to the malware. Web archives were not accessible at the time of publication.

"This is a worldwide, spreading malicious adware family with a high threat, likely controlled by a Chinese organisation," the researchers say .

An overview of the malicious adware workflow

An overview of the malicious adware workflow.

"Any affected user may have inadvertently compromised their user credentials for some online services [and should] change their passwords for any online services such as iTunes, online banking, email, and work accounts."

The trio says the attackers are so careless that the infected app which have "full control" root access to phones will allow anyone malware share that priveleged access.

This means writers of less harmful malware could take advantage of the infections to gain root privilege, hijack the devices, and inflict "permanent damages".

So far some 300 infected apps have been discovered including the popular Amazon, Memory Booster, and Clean Master.

World infection map

World infection map

The adware uses "novel" and impressive techniques for persistence and obfuscation such as installing system level services, and modifying the boot recovery script used to flash new operating system ROMs.

Zhang, Chen, and Kang say attackers have repackaged the popular apps with malicious logic that is continuously updated.

The most recent samples sport more powerful obfuscation and packing mechanisms.

Additional technical information is available in FireEye's analysis. ®




Biting the hand that feeds IT © 1998–2019