1、安卓木马Loki变种具Root设备能力
标题:Loki Trojan Infects Android Libraries and System Process to Get Root Privileges
作者信息: December 13, 2016 07:16 AM By Catalin Cimpanu
//BEGIN
Malware authors have released a new version of the Android Loki trojan, which can now infect native Android OS libraries after an earlier version had previously gained the capabilities to infect core operating system processes.
This trojan, named Loki, was first seen in February 2016 and was discovered by Russian antivirus vendor Dr.Web.
来自俄罗斯的安全公司大蜘蛛最近发布了一个新的变种。其原始版本是在今年年初2月份发现的。该病毒是在Android平台下的,被命名为Loki.与今年2月份能感染内核系统进程不同的是,新的Loki变种能感染原生态的Android系统库文件。
//END
The difference between the two Loki versions, the February and the December variants, is the files they targeted. The February version targeted the native Android "system_server" process.
The December variant modifies a native system library and adds an extra dependency that loads one of Loki's three components (libz.so, libcutils.so or
liblog.so). Whenever the Android OS needs the tainted library, it also loads the Loki trojan, which starts its malicious activity as root, the standard user
under which all core libraries execute.
Fortunately, just like in February, this malware is currently used to show annoying ads only. If Loki would be used as part of banking trojans, ransomware, or cyber-surveillance toolkits, this malware would be a force to be reckoned with. Because Loki entangles itself deep in the Android OS files, the only way to remove the trojan is to reinstall (reflash) the entire operating system.
这两者的感染对象不同,一个是System_server进程,一个是靠修改系统的库文件,增加一层依赖关系。这样只要系统调用其感染的库文件,这个木马就会被一起调用。这样即使是普通的用户运行,也能被提权到Root权限执行。
幸运的是,直到目前该恶意代码的唯一作用还只是显示广告,下载APP等。但是如果将来该恶意代码一旦与其他的耳熟能详的网银、勒索软件、网络监控软件等合体,那么后果将是极其严重的。
原因就在这个木马是侵入的Android的OS的内核,普通的手段根本无法清除。
点评:原生态的Android被植入恶意代码,只能靠重新刷机解决? |