How to extract Malware from Firmware of Mobile Devices

Every day we hear about the more and more new devices containing malware in the firmware. Virus analysts at the company “Doctor Web” have announced the identification of new Trojans that attackers have implemented in the firmware of dozens of models of mobile devices running the Android OS. One of the Trojans that got Android.DownLoader.473.origin name is in the firmware of the set of models of popular Android-devices running on MTK platform hardware.

Android.DownLoader.473.origin is a Trojan downloader that starts every time you turn on the infected device. Malware monitors the activity of Wi-Fi-module and after the discovery of a network connection connects to the control server receives from the configuration file to the task. This file contains information about the application that you need to download the Trojan. After downloading this program silently installs Android.DownLoader.473.origin it. As hackers team is able to download the Trojan to the infected device, any software. It can be as innocuous as well as unwanted or even malicious program. One of the secondary application, called H5GameCenter, triggers ads on the top of the application. To make it even more annoying, the loader will reinstall the app if you remove it.

Today we will tell how the search for Malware in Firmware. In order to understand how to look for viral android need to know some basics of Linux architecture theory, disassembly binaries, as well as other related concepts. In order to know where to look for what, it’s important to understand the overall architecture of the system. The loader first part of the code that will be executed when the system boots. His job is to prepare the kernel for execution, jump in and stop working. From this point, the kernel controls the hardware and uses it to launch space user logic. Having the source code of the loader can understand how to run custom firmware on the device or change something; some loaders are much more feature-rich than others. With the core can find the weak algorithms used for security purposes, and other disadvantages. Most importantly, we can use the drivers to compile and run our own operating system on the device.

That being said, if you are looking for 0-days, backdoors or confidential data, it is best not to projects with open source. Device specific and closed source software, developed by the manufacturer or one of their suppliers are not tested so much, and may very well be riddled with errors. Most of this code is stored in binary form in user space; we received the entire file system, so we’re good. Without the source code for the user space of binary files, we need to find a way to read the machine code inside the binary files. That’s where the showdown comes. The code inside every executable binary is just a compilation of instructions encoded as Machine Code.

The structure of a binary can vary greatly depending on compiler, developers, etc. How functions call each other is not always straightforward for a disassembler to figure out. That means you may run into lots of ‘orphaned’ functions, which exist in the binary but do not have a known caller.

In order to find the virus in Android firmware, you must have theoretical knowledge android architecture, to understand what the compilation and decompilation of binaries, the loader, the kernel.

More.