in agust, when Coolpad users updated their devices with an official patch, they soon found that their cellphones contained 2 unknown applications called MonkeyTest and TimeService, which were planted there by a malicious virus named Ghost Push. By 18th September, the number of newly infected devices per day had hit 700,000. Over 10,000 models have been affected, including Samsung, Coolpad, Moto and more (see below for a complete list of infected models).
Our data analysis shows that infected devices are mainly in America, Russia, Southeast Asia and southern China.
Ghost Push can gain system-level access to your mobile phone. With this privilege, it’s able to root your device without your consent, and download malicious apps like MonkeyTest and TimeService which slow down your phone, drain your battery and consume a great deal of network traffic. What’s super dangerous about these viruses is that they’re incredibly hard to get rid of - even if you uninstall them, they will reappear when you restart your phone.
Since Ghost Push has been annoying millions of Android users, you must be wondering how it works and what you can do to get rid of it.
Ghost Push gets root privileges on your device and uses your network data to push advertisements to you. It can also automatically download useless applications without your knowledge.
Hackers have injected malicious code into popular applications and distributed these new files disguised as the original apps (please find the infected app list at the end of the article). Once users install these seemingly normal applications, the malicious code starts doing evil.
*** First, Analysis of virus release and installation***
1.1 Gaining root privileges
Malicious code sends configuration information, such as phone model, to the server: http:api.aedxdrcb.com/ggview/rsddateindex. Then it gets a root toolkit from this server: http://down.upgamecdn.com/onekeysdk/tr_new/rt_0915_130.apk. This toolkit can obtain Android devices’ root privilege by exploiting system vulnerabilities which reside in tens of thousands of Android models.
Here we mainly discuss root code targeting Samsung and MTK devices.
After gaining root privilege, the malicious code will 1) replace the debuggerd file; 2) tamper with the install-recovery.sh file; 3) create a malicious bin file; 4) install a ROM virus.
1.2 Replace debuggerd file
The virus will save the original system debuggerd file as debuggerd-test, and save a malicious bin file as “debuggerd” in the system.
1.3 Tamper “install-recovery.sh”
1.4 Release malicious bin
The virus embeds the binary code of a malicious bin file into the java code, and releases the binary code to /system/xbin.
1.5 Install ROM virus
During malicious code execution, it will write in a parent virus such as “camera_update” to system directories /system/priv-app or /system/app.
As it has gained root privilege, the malicious code will make sure that the camera_update parent virus is embedded in /system/priv-app. Defended by the bin file, this parent virus will exist in your phone ROM, and cannot be uninstalled. More details are later in the article.
The camera_update parent virus will install malware like TimeService and MonkeyTest. These malware will use short links to get application information from servers (MonkeyTest from server: http://massla.hdyfhpoi.com/gkview/info/801; TimeService from server: http://u.syllyq1n.com/
0 Response to "How to remove the top issue virus problem on ur devicedevices"
Post a Comment