SHA1 hash:
- 97978deb466d6a1a2dd4fdc3e63a6f800d96005c
Description
We discovered this trojan in numerous mods of various popular apps. Using the Spotify streaming mod Spotify “[AIMODS] Spotify v9.0.70.5 (arm64).apk” as an example, we'll examine how it works.
This trojan uses the same command and control server as Android.Phantom.2.origin: dllpgd[.]click. SHA1 for the apk file of this infected mod is 97978deb466d6a1a2dd4fdc3e63a6f800d96005c. The SDK name in the trojan code: DllpgdLiteSDK.
The malware queries the above server and receives tasks to download remote code. Here is an example of a task received for a request to hxxps[:]//dllpgd[.]click/api/v1/dllpgd/getConfig.
{
"dllpgdConfig": {
"plugins": [
{
"id": "1",
"name": "device_collection",
"url": "hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com/dllpgd_plugin%2Fdevice_info%2Fencrypted_device_info_251024182609",
"md5": "253c0eebc3b81719e6dfcf48644988e6",
"className": "com.imuw.device_info.DeviceInfo",
"delayRunSeconds": "1",
"lastVersion": "251024182609",
"password": "JViQRjTaPuwfjn9d",
"pluginStatus": 1,
"endDelete": true
},
{
"id": "4",
"name": "gegu_sdk",
"url": "hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com/dllpgd_plugin%2Fgegu_sdk%2Fencrypted_gegu_sdk_250607141254",
"md5": "022946550d2e746a962f29a736818be6",
"className": "com.imuw.gegu_sdk.GeguSDK",
"delayRunSeconds": "1",
"lastVersion": "250607141254",
"password": "S5UvPqNkfEAncaDP",
"pluginStatus": 1,
"startIndex": "10",
"runInSubProcess": true
},
{
"id": "6",
"name": "h5_v1_refactor",
"url": "hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com/dllpgd_plugin%2Fh5_lite%2Fencrypted_h5_lite_250924162836",
"md5": "ce8a781080d0218ed3a3e35f9d1b6350",
"className": "com.idlmlpugdw.h5_v1_refactor.H5V1Refactor",
"needRun": true,
"delayRunSeconds": "1",
"lastVersion": "250924162836",
"password": "YsKJlMfPgHW6CTl6",
"pluginStatus": 1,
"startIndex": "50",
"runInSubProcess": true
}
],
"sessionId": "ХХХ"
}
}The remote malware files are downloaded from the URL hxxps[:]//app-download[.]cn-wlcb[.]ufileos[.]com. Note that the Android.Phantom.2.origin neural network files are also downloaded from this URL. The code arrives encrypted, and the task contains a "password" field—this is the utf-8-encoded key for decrypting files, using the AES algorithm in ECB mode.
Next, the following plugins are installed on the device:
- device_collection is Android.Phantom.5.origin. It sends device information to hxxps[:]//iboot[.]site, including the phone number, geolocation, and the list of apps;
- gegu_sdk is the final payload: Android.Phantom.4.origin. The functionality is the same as that of Android.Phantom.5;
- h5_v1_refactor — Android.Phantom.2.origin.
MITRE matrix
| Stage | Technique |
|---|---|
|
Initial Access |
Managing application versions (T1661) |
|
Execution |
Command and Scripting Interpreter (T1623) |
|
Defense Evasion |
Managing application versions (T1661) Download New Code at Runtime (T1407) Input Injection (T1516) Obfuscated files or information (T1406) Virtualization/Sandbox Evasion (T1633) System Checks (T1633.001) |
|
Discovery |
Location Tracking (T1430) Software Discovery (T1418) System Information Discovery (T1426) System Network Configuration Discovery (T1422) |
|
Data Collection |
Location Tracking (T1430) Protected User Data (T1636) Screen Capture (T1513) |
|
Command and Control |
Application Layer Protocol (T1437) Encrypted Channel (T1521) Symmetric Encryption (T1521.001) Ingress Tool Transfer (T1544) Remote Access Software (T1663) |
|
Destructive impact |
Generate Traffic from Victim (T1643) Input Injection (T1516) |
More about Android.Phantom.5.origin
