Vault7: CIA Hacking Tools Revealed
Navigation: » Directory » Android » Android » RoidRage » RoidRage Bootstrap Methods
RoidRage Debuggerd Startup (ICS/JB)
The debuggerd startup method for RoidRage on ICS/Jellybean phones follows the following process:
- Debuggerd service starts, started by the 'init' process per the 'init.rc' script
- Inside of the do_server function, we have added a call to our own function, start_rr
- Initialize the hook for the ril by changing the rild.libpath property so that our library will be loaded in place of the original ril library. Our ril library (referred to as the 'ril shim') then loads the original and man-in-the-middle's function calls that go to and from the actual library.
- Load the flag file that is used to determine state in the case of a crash (IEInternet Explorer determine if RRRoidRage (Malware) is already running and if so, what is its PIDProcess ID)
- Create the startup thread, which:
- calls do_fork(), which
- simply forks from debuggerd (since SELinux is not enabled and thereby restricting the debuggerd process)
- drop the precore stub to the ramdisk from an array in memory which is encrypted, decrypting it in the process
- executes the precore stub (followed by the RoidRage precore, followed by RoidRage itself)
- calls do_fork(), which
- Create the property thread which:
- waits for rild to start up
- checks to see if rild has been successfully hooked
- kills rild if it is not hooked
- once it has been hooked, it restores the rild.libpath to the value that it should be so that it does not appear to have been changed