ANDROIDOS_LOTOOR.G

This malware checks if the main executable is executed by root and the file name is "boomsh". If so, it then takes ownership and sets the permission (Read only, Execute Only, Full) to /data/local/tmp/sh. It then copies itself to /data/local/tmp/boomsh and the system shell's binary, from /system/bin/sh to /data/local/tmp/sh.

It obtains certain operating system information.

This malware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This malware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

More information on this vulnerability can be found below:

• CVE-2011-1823

NOTES:

This malware checks if the main executable is executed by root and the file name is "boomsh". If so, it then takes ownership and sets the permission (Read only, Execute Only, Full) to /data/local/tmp/sh. It then copies itself to /data/local/tmp/boomsh and the system shell's binary, from /system/bin/sh to /data/local/tmp/sh.

It obtains the following operating system information:

• Build ID
• Build Version Release

It opens /proc/net/netlink and scans it to find /system/bin/void. It opens the file /system/bin/vold and locates the .GOT addresses range in it, which is used for the exploit.

It checks what type of device is used and calculate the correct index value for mPartMinors array.

It then attempts to exploit the addresses within the .GOT range and uses a NetLink socket to send the malicious message that contains the exploit allowing users to gain root privileges and triggers memory corruption.