SHA1 hashes:
- d3415f06879c72d76d873b2e260e3cf014f48666
- 4628098e1a153dd514de5563aeaaec90ba4fba5d
Description
Android.MagicAd.1.origin is a component of the Android.MagicAd.1 trojan, which the latter decrypts from its file resources and launches. It is a dex executable file that implements the main functionality for displaying ads.
Operating routine
The Android.MagicAd.1 trojan decrypts a native library from a file located in its /assets resource directory. Next, it decrypts dex files from this library, including Android.MagicAd.4 and Android.MagicAd.1.origin.
Android.MagicAd.1 malware uses Android.MagicAd.4 to launch Android.MagicAd.1.origin.
The main task of Android.MagicAd.1.origin is to launch advertising activities while operating in the background.
Android.MagicAd.1.origin registers the following intent filters:
- com.android.start — this is the main filter used to process the advertising intent that the Android.MagicAd.1 malware sends as an object. From this intent, the filter obtains the intent for launching advertising activity in the background.
- com.android.start.simple — this filter creates the object of the pending intent for launching the advertisement; it is not used in the current trojan version.
- com.android.jkp — this filter launches an intent for displaying an advertisement via the chooser dialog (this dialog allows the user to choose in which app a particular action must be performed); it is not used in the current trojan version.
- com.android.media — this filter is required for displaying ads via Media Player.
Using a virtual screen
Android.MagicAd.1.origin checks the parameter Build.VERSION.SECURITY_PATCH (the system security patch version). If the current version is older than 20230901, the trojan creates a virtual display the size of 1x1 pixels; this display allows the malware to increase its background process priority and protect it from being terminated by the system.
Displaying ads
When Android.MagicAd.1.origin receives the intent with the advertisement from Android.MagicAd.1, it selects the most suitable way, based on the infected device model, to display the ad in the background.
Pending Intents
Android.MagicAd.1.origin can launch advertising activities via other apps with the help of pending intents. Depending on the target program, the mechanism can vary.
Variant 1
This variant is implemented via the Mi Browser (com.android.browser) program.
When Android.MagicAd.1.origin receives the initial intent for launching advertising activity, it wraps this intent into the pending intent and sends it to the Mi Browser app. The browser extracts the original intent from the pending intent and launches it. This intent launches the activity that displays the target advertisement.
When Mi Browser is launched, Android.MagicAd.1.origin sends it a pending intent containing the activity for displaying the advertisement
Variant 2
This variant is implemented by interacting with the programs com.amazon.tv.launcher (the Amazon Fire TV Home Screen launcher for Amazon TV devices) and com.android.systemui (the SystemUI graphical shell for Xiaomi devices).
Android.MagicAd.1.origin’s logic responsible for sending the intent containing the advertising activity
After receiving the initial intent for launching the activity containing the advertisement from Android.MagicAd.1, Android.MagicAd.1.origin sends a separate intent to the target apps so that they call the trojan from the background. These programs are either sending their own broadcast intent for launching the trojan (in the case of com.android.systemui) or launching the trojan directly (in the case of com.amazon.tv.launcher).
com.android.systemui
If the target app is com.android.systemui, Android.MagicAd.1.origin checks whether the trojan is the only program in the system with the broadcast receivers for processing the com.miui.intent.action.DOUBLE_CLICK events. This is necessary to ensure that the intent which the target app sends is guaranteed to reach the trojan and launch it.
If this condition is met, Android.MagicAd.1.origin calls the Content Provider method in the program, using the authority identifier com.miui.systemui.keyguard.wallpaper. When this method is processed, the target app launches the trojan. After that, Android.MagicAd.1.origin launches the activity containing the advertisement from the pending intent received from the main malware app.
A fragment of the Android.MagicAd.1.origin code responsible for the trojan launching the SystemUI application
com.amazon.tv.launcher
If the target app is com.amazon.tv.launcher, Android.MagicAd.1.origin launches it by sending it the intent (com.amazon.device.DEEPLINK) containing the parameter packageName in which the trojan specifies its own package name. Next, Android.MagicAd.1.origin directly launches the advertising activity from the pending intent.
A fragment of the Android.MagicAd.1.origin code responsible for launching the Amazon Fire TV Home Screen application by sending it the corresponding intent
Launching advertising activities using Android Binder on Vivo devices
On Vivo devices, Android.MagicAd.1.origin launches advertising activities using Android Binder by sending it regular intents via the Parcel data container. This supposedly allows the trojan to launch other apps in the background. The target apps are:
- com.iqoo.secure (iManager)
- com.android.contacts (the phonebook)
- com.vivo.browser (the browser)
- com.baidu.input_vivo (the keyboard)
Android.MagicAd.1.origin tries to launch itself through them and then launches the advertising activity.
Binder Inject
Binder injects can also be used on Vivo devices. The trojan searches for every android.accounts.AccountAuthenticator service on the infected device, obtains the IBinder field from them, and injects its own Binder into the service. Next, the trojan requests the system to register an account. Since the original Binder was replaced with the trojan one, the malicious program gains control, and its Binder returns its own intent for launching advertising activity.
Launching advertising activities via Media Player
Android.MagicAd.1.origin can display ads via Media Player. This method is utilized if the infected device’s Android SDK version is 34 or higher, or if the following requirements are met:
- the device is not an Amazon product;
- if the Android SDK version is 30 or higher and it is a Vivo device, it must have a system security patch whose version is higher than the specified version.
The Android.MagicAd.1 code fragment where this check is implemented is shown below:
!mw_rom_class.mw_check_rom_name_amazon() || Build.VERSION.SDK_INT > 30 ? mw_vivo_binder_hijack_class.mw_get_vivo_sec_patch() >= 20220601 : false
If a device meets the required parameters, Android.MagicAd.1 uses Base64 to decode the string, which it then saves as a file in the directory /files. The name of this file is a concatenation of the MD5 hash value of the trojan package name and the string _ddsound. This file will then be used to play it in the media player.
Android.MagicAd.1 creates a media player and sets its volume to minimum:
media_player_obj.media_player.setVolume(1.0f, 1.0f);
The trojan then creates a MediaSession instance, which allows the media player to be connected with Android’s global media control system.
Next, in the setMediaButtonReceiver() Android.MagicAd.1 sets a pending intent for launching the Media Receiver. Using the command Runtime.getRuntime().exec("cmd media_session dispatch record").waitFor();, the trojan clicks the record button in the media player and instantly closes the player.
Before running the command, Android.MagicAd.1 also sends the initial intent to a static class variable. As a result, the intent gets to the Media Receiver, which launches the LocalBroadcast event with the value com.android.media. This event is controlled by the trojan module Android.MagicAd.1.origin, which launches the initial intent containing the advertisement sent by Android.MagicAd.1.
More details about Android.MagicAd.4
More details about Android.MagicAd.1
Indicators of compromise
News about the trojan
