Mobile Malware Investigation Report

Incident Summary

• The detected malware is triggered via a Lua script designed for mobile devices.
• The Lua script is executed through a game cheat application, likely running with root privileges.
• Normally, escaping the sandbox of the game cheat app should not be possible. However, the attacker appears to have broken out of the sandbox by using certain custom API calls or possibly via a memory overflow exploit.
• Following this, a malicious APK file is downloaded and attempts to install itself on the device.
• The APK performs actions aiming to gain root privileges on the Android device.
• If root access is obtained, it sets up an environment for a second-stage payload.
• The malware hides itself in directories that are either inaccessible to antivirus solutions or have restricted monitoring permissions, such as:
  • /persist/
  • /mnt/vendor/persist/
  • /sys/
• Under normal circumstances, the malware produces no visible output. However, during our tests, we intentionally caused the application to crash, which revealed several critical details in the resulting error messages.

False Flag Indicator (Chinese Connection)

• After the crash, error messages contained:
  • Chinese characters within the error output.
  • Certain class and package names following a “com.cn.*” naming pattern.
• This suggests that the malware might have been developed by Chinese developers.
• However, the actor distributing the malware appears to be of Arabic origin.
• Therefore, we strongly suspect the presence of a false flag operation. The attackers may have intentionally included Chinese strings and code fragments to mislead analysts and obscure their true identity.