{"id":473,"date":"2016-03-24T21:19:49","date_gmt":"2016-03-25T05:19:49","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=473"},"modified":"2018-12-19T13:37:04","modified_gmt":"2018-12-19T21:37:04","slug":"analysis-of-android-golem-downloader-component","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/analysis-of-android-golem-downloader-component\/","title":{"rendered":"Analysis of Android.Golem downloader component"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Recently, we came across a new malware which seems to be a module of a recent Android trojan named dubbed <\/span><i><span style=\"font-weight: 400;\">Golem<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Golem has been found in several countries and hundreds of thousands of phones have already been infected, according to <\/span><a href=\"https:\/\/www.cmcm.com\/blog\/en\/security\/2016-03-02\/954.html\"><span style=\"font-weight: 400;\">reports<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9d5cb5528ab01cfd60434cf84eec7b45.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/9d5cb5528ab01cfd60434cf84eec7b45.png\" alt=\"\" width=\"1248\" height=\"960\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">We performed detailed analysis of the malware using JEB, the operations achieved by the malware can be divided into several steps:<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Step 1<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">When user start the phone or unlock the screen or light the screen, the malware will automatically download a file named \u201cconf_plugin.txt\u201d which contains configuration information like \u201cupdate\u201d, \u201cmd5\u201d, \u201curl\u201d, etc.<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/65672a86c73ffe97dea8f205c8ceac32.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/65672a86c73ffe97dea8f205c8ceac32.png\" alt=\"\" width=\"1324\" height=\"172\" \/><\/a><\/p>\n<h3><span style=\"font-weight: 400;\">Step 2<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Then the malware will check if there is a jar file named \u201cic.jar\u201d in phone memory, if not or if its md5 is different from the md5 in \u201cconf_plugin.txt\u201d (which means the local dex is different from the dex in remote server), malware will download the dex.<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2b2966c29be19cfde67a6cd36a17ad04.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2b2966c29be19cfde67a6cd36a17ad04.png\" alt=\"\" width=\"864\" height=\"428\" \/><\/a><\/p>\n<h3><span style=\"font-weight: 400;\">Step 3<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">After that, the malware will install and run the dex and execute the \u201conCreate\u201d function in the &#8220;com.facebook.mini.service.RunService&#8221; class.<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/7a70b0b53588594d6c219e5002bf1ca0.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/7a70b0b53588594d6c219e5002bf1ca0.png\" alt=\"\" width=\"1584\" height=\"418\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">The complete process can be represented by the graph below:<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/18466dd204a5eeda79f7456dd3f3d638.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/18466dd204a5eeda79f7456dd3f3d638.png\" alt=\"\" width=\"1556\" height=\"952\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Based on the analysis, the malware can automatically download, launch and run application without user\u2019s authorization. The downloaded apps will run with the set of permissions already requested by the downloader:<\/span><\/p>\n<p><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/4f0eea7289a235ca851766aaca0bdd17.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/4f0eea7289a235ca851766aaca0bdd17.png\" alt=\"\" width=\"1036\" height=\"648\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Through this malware, the attacker can easily get your personal information, contacts or even bank accounts and passwords. Also, the attacker can remotely control your phone to open specified application and perform some bad operations to make illicit profits.<\/span><\/p>\n<p style=\"text-align: left;\">Sample SHA256:<br \/>\n3cb7a4792725d381653fcca18d584f9fbe47d67f455db03e3c53e8e8e7736385<b><br \/>\n<\/b><\/p>\n<p><strong><em>Analysis by Ruoxiao Wang<\/em><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, we came across a new malware which seems to be a module of a recent Android trojan named dubbed Golem. Golem has been found in several countries and hundreds of thousands of phones have already been infected, according to reports. We performed detailed analysis of the malware using JEB, the operations achieved by the &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/analysis-of-android-golem-downloader-component\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Analysis of Android.Golem downloader component<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,2],"tags":[],"class_list":["post-473","post","type-post","status-publish","format-standard","hentry","category-android","category-malware"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=473"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/473\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}