Cajino
Summary
Details
Cajino is a spyware discovered in March 2015. Its particularity is to receive commands via Baidu Cloud Push messages. In addition to alternative markets, samples were downloadable on the Google Play store with more than 50.000 downloads.
Stage 1: Registration
The application must be launched at least one time. When it occurs, in the onCreate() function, a registration procedure of the Baidu API is executed in order to make the phone be able to receive Push messages from the remote server.
if(!Utils.hasBind(this.getApplicationContext())){ PushManager.startWork(this.getApplicationContext(), 0, Utils.getMetaValue((Context)this, "api_key")); }
At the same time, the MainActivity displays an empty WebView and a dialog box pops up asking for an update with a “Yes” or “No” choice. Actually these 2 buttons do not work: there is no code behind.
Stage 2: Receiving Push messages
The malware has a receiver named PushMessageReceiver. It can react to these intents broadcasted by Baidu services :
<action android:name="com.baidu.android.pushservice.action.MESSAGE"/> <action android:name="com.baidu.android.pushservice.action.RECEIVE"/> <action android:name="com.baidu.android.pushservice.action.notification.CLICK"/>
When a Push message is received, PushMessageReceiver starts BaiduUtils.getFile() which will check if the device is concerned by the incoming message, and if so, it will start BaiduUtils.getIt() to execute the right command. In this function we can see all the actions the malware can perform.
Cajino is able to steal the contacts, steal the call logs, steal all SMS (inbox and sent), get the last known location of the device, steal sensitive data (IMEI, IMSI, phone number), list all data stored on the external storage. For each of these features, the malware first stores the results in files written into /sdcard/DCIM/Camera/ before uploading them to the remote server. The malware can also send SMS to any number given by the server, upload to the server or delete any file stored on the external storage.
In some versions of the malware (e.g. ca.ji.no.method2), more features are available. For example it can record the microphone with a MediaRecorder during a period of time given by the server:
BaiduUtils.recorder.prepare(); BaiduUtils.recorder.start(); Thread.sleep(int1 * 1000); BaiduUtils.recorder.stop(); BaiduUtils.recorder.release();
It can also download an apk file into the directory /sdcard/update/ and install it on the device:
private static void installApk(final Context context, String str) { str = Environment.getExternalStorageDirectory() + "/update/update.apk"; final Intent intent = new Intent("android.intent.action.VIEW"); intent.addFlags(268435456); intent.setDataAndType(Uri.fromFile(new File(str)), "application/vnd.android.package-archive"); context.startActivity(intent); }
The last feature of Cajino is a classical call to a number given by the server, not hidden from the user. That makes a total of 12 distinct features the malware can perform. All the necessary permissions are written in the manifest, which make the user aware of the requested permissions at installation time.
Other resources
Triggering
adb shell am broadcast -a com.baidu.android.pushservice.action.MESSAGE --es message_string "all list_file"
And then :
adb shell am broadcast -a com.baidu.android.pushservice.action.MESSAGE --es message_string "all photo"
This will list all the files stored in /sdcard/ and send the list to the remote server.
Caracteristics
Malware type :
- Remote Administration Tool (RAT)
- Spyware
Attacks :
-
Confidentiality
-
Normal use
Infection technique : Standalone application
Malicious code type :
- Use Java code
- Use native code
Hidding techniques :
- Not hidden
Triggering techniques :
- Executed at launch
- Waits for a message from a remote server
Samples
Java source code extracts:
bind.java is the part of code used to register the phone in order to receive Push messages from the remote server.MainActivity.java is the code used to build the only activity, we can see there is no code triggered by the buttons.
getIt.java is the function used to switch between C&C server commands.
getLocation.java is the function used to get the last known location of the device.
sendSMS.java is the function used to send SMS.
record.java is a function from another version of the malware, used to record the phone's microphone.
installApk.java is a function from another version of the malware, used to install an application downloaded under the name "update.apk".