Forums
Main Category
General (Technical,...
Any malware in this...
 
Notifications
Clear all

Any malware in this list of UNIX processes?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by gorvq7222 10 years ago
7 Posts
2 Users
0 Reactions
1,102 Views
RSS
 Skywalker
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter 06/11/2015 3:02 am  

Hi everybody,

I have accessed to an Android device through ADB and execute the "ps" command. The list of processes is the following. Do you find any suspect one? I cannot. As a clue, my client thinks his conversations are recorded and sent outside by a trojan horse and it seems he is telling the truth, I trust him.

The "voicecallrecorder" is a normal recorder that you can get in the Google Market, not a trojan.

USER PID PPID VSIZE RSS WCHAN PC NAME
root 1 0 996 520 ffffffff 00000000 S /init
root 2 0 0 0 ffffffff 00000000 S kthreadd
root 3 2 0 0 ffffffff 00000000 S ksoftirqd/0
root 6 2 0 0 ffffffff 00000000 D kworker/u0
root 7 2 0 0 ffffffff 00000000 D kworker/u0H
root 8 2 0 0 ffffffff 00000000 S migration/0
root 21 2 0 0 ffffffff 00000000 S khelper
root 22 2 0 0 ffffffff 00000000 S netns
root 27 2 0 0 ffffffff 00000000 S kworker/01H
root 28 2 0 0 ffffffff 00000000 S modem_notifier
root 29 2 0 0 ffffffff 00000000 S smd_channel_clo
root 30 2 0 0 ffffffff 00000000 S smsm_cb_wq
root 32 2 0 0 ffffffff 00000000 S rpm-smd
root 33 2 0 0 ffffffff 00000000 S kworker/u1H
root 34 2 0 0 ffffffff 00000000 S mpm
root 35 2 0 0 ffffffff 00000000 S irq/47-cpr
root 53 2 0 0 ffffffff 00000000 S sync_supers
root 54 2 0 0 ffffffff 00000000 S bdi-default
root 55 2 0 0 ffffffff 00000000 S kblockd
root 56 2 0 0 ffffffff 00000000 S system
root 57 2 0 0 ffffffff 00000000 S khubd
root 58 2 0 0 ffffffff 00000000 S irq/102-msm_iom
root 59 2 0 0 ffffffff 00000000 S irq/102-msm_iom
root 60 2 0 0 ffffffff 00000000 S irq/102-msm_iom
root 61 2 0 0 ffffffff 00000000 S irq/79-msm_iomm
root 62 2 0 0 ffffffff 00000000 S irq/78-msm_iomm
root 63 2 0 0 ffffffff 00000000 S irq/78-msm_iomm
root 64 2 0 0 ffffffff 00000000 S irq/74-msm_iomm
root 65 2 0 0 ffffffff 00000000 S irq/75-msm_iomm
root 66 2 0 0 ffffffff 00000000 S irq/75-msm_iomm
root 67 2 0 0 ffffffff 00000000 S irq/273-msm_iom
root 68 2 0 0 ffffffff 00000000 S irq/273-msm_iom
root 69 2 0 0 ffffffff 00000000 S irq/273-msm_iom
root 70 2 0 0 ffffffff 00000000 S irq/97-msm_iomm
root 71 2 0 0 ffffffff 00000000 S irq/97-msm_iomm
root 72 2 0 0 ffffffff 00000000 S irq/97-msm_iomm
root 73 2 0 0 ffffffff 00000000 S devfreq_wq
root 74 2 0 0 ffffffff 00000000 S l2cap
root 75 2 0 0 ffffffff 00000000 S a2mp
root 76 2 0 0 ffffffff 00000000 S cfg80211
root 78 2 0 0 ffffffff 00000000 S irq/468-adsp
root 79 2 0 0 ffffffff 00000000 S irq/404-mba
root 80 2 0 0 ffffffff 00000000 S irq/532-wcnss
root 81 2 0 0 ffffffff 00000000 S qmi
root 82 2 0 0 ffffffff 00000000 S nmea
root 83 2 0 0 ffffffff 00000000 S msm_ipc_router
root 84 2 0 0 ffffffff 00000000 S apr_driver
root 85 2 0 0 ffffffff 00000000 D kswapd0
root 86 2 0 0 ffffffff 00000000 S fsnotify_mark
root 87 2 0 0 ffffffff 00000000 S crypto
root 105 2 0 0 ffffffff 00000000 D mdss_dsi_event
root 106 2 0 0 ffffffff 00000000 S diag_real_time_
root 107 2 0 0 ffffffff 00000000 S diag_modem_data
root 108 2 0 0 ffffffff 00000000 S diag_lpass_data
root 109 2 0 0 ffffffff 00000000 S diag_wcnss_data
root 110 2 0 0 ffffffff 00000000 S diag_wq
root 111 2 0 0 ffffffff 00000000 S diag_cntl_wq
root 112 2 0 0 ffffffff 00000000 S diag_dci_wq
root 113 2 0 0 ffffffff 00000000 S kgsl-3d0
root 114 2 0 0 ffffffff 00000000 S kgsl_devfreq_wq
root 115 2 0 0 ffffffff 00000000 S irq/335-2-000c
root 122 2 0 0 ffffffff 00000000 S usbnet
root 123 2 0 0 ffffffff 00000000 S k_rmnet_mux_wor
root 124 2 0 0 ffffffff 00000000 S f_mtp
root 125 2 0 0 ffffffff 00000000 S file-storage
root 126 2 0 0 ffffffff 00000000 S uether
root 127 2 0 0 ffffffff 00000000 S kpsmoused
root 128 2 0 0 ffffffff 00000000 S rmi_det_workque
root 129 2 0 0 ffffffff 00000000 S als_wq
root 130 2 0 0 ffffffff 00000000 S msm_vidc_worker
root 131 2 0 0 ffffffff 00000000 S pm_workerq_venu
root 132 2 0 0 ffffffff 00000000 S msm_vidc_worker
root 133 2 0 0 ffffffff 00000000 S msm_cpp_workque
root 134 2 0 0 ffffffff 00000000 D dbs_sync/0
root 135 2 0 0 ffffffff 00000000 D dbs_sync/1
root 136 2 0 0 ffffffff 00000000 D dbs_sync/2
root 137 2 0 0 ffffffff 00000000 D dbs_sync/3
root 138 2 0 0 ffffffff 00000000 S cfinteractive
root 139 2 0 0 ffffffff 00000000 S binder
root 140 2 0 0 ffffffff 00000000 S usb_bam_wq
root 141 2 0 0 ffffffff 00000000 S tpa6165
root 142 2 0 0 ffffffff 00000000 S krfcommd
root 143 2 0 0 ffffffff 00000000 S bam_dmux_rx
root 144 2 0 0 ffffffff 00000000 S bam_dmux_tx
root 145 2 0 0 ffffffff 00000000 S rq_stats
root 146 2 0 0 ffffffff 00000000 S kcompact
root 147 2 0 0 ffffffff 00000000 S deferwq
root 151 2 0 0 ffffffff 00000000 S mmcqd/0
root 152 2 0 0 ffffffff 00000000 S mmcqd/0rpmb
root 154 2 0 0 ffffffff 00000000 S sb-1
root 155 2 0 0 ffffffff 00000000 D ngd_rx_thread1
root 156 2 0 0 ffffffff 00000000 D ngd_notify_sl1
root 157 1 936 388 ffffffff 00000000 S /sbin/ueventd
root 159 2 0 0 ffffffff 00000000 S jbd2/mmcblk0p34
root 160 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 162 2 0 0 ffffffff 00000000 S f2fs_gc-2594
root 167 2 0 0 ffffffff 00000000 S jbd2/mmcblk0p33
root 168 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 169 2 0 0 ffffffff 00000000 S jbd2/mmcblk0p29
root 170 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 172 2 0 0 ffffffff 00000000 S jbd2/mmcblk0p1-
root 173 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 184 2 0 0 ffffffff 00000000 S IPCRTR
root 186 2 0 0 ffffffff 00000000 S ipc_rtr_q6_ipcr
root 188 2 0 0 ffffffff 00000000 S msm_slim_qmi_cl
root 189 2 0 0 ffffffff 00000000 S msm_qmi_rtx_q
root 193 2 0 0 ffffffff 00000000 S jbd2/mmcblk0p26
root 194 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 195 2 0 0 ffffffff 00000000 S ext4-dio-unwrit
root 199 2 0 0 ffffffff 00000000 S irq/288-wcd9xxx
mot_pwric 212 1 1008 344 ffffffff 00000000 S /system/bin/batt_health
logd 251 1 7712 2280 ffffffff 00000000 S /system/bin/logd
root 252 1 1588 172 ffffffff 00000000 S /sbin/healthd
root 253 1 2364 556 ffffffff 00000000 S /system/bin/lmkd
system 254 1 1176 420 ffffffff 00000000 S /system/bin/servicemanager
root 255 1 6092 612 ffffffff 00000000 S /system/bin/vold
system 256 1 78784 4068 ffffffff 00000000 S /system/bin/surfaceflinger
system 258 1 2900 524 ffffffff 00000000 S /system/bin/rfs_access
nobody 269 1 7588 568 ffffffff 00000000 S /system/bin/rmt_storage
root 272 1 12152 784 ffffffff 00000000 S /system/bin/netd
root 273 1 1736 276 ffffffff 00000000 S /system/bin/debuggerd
radio 276 1 37952 2640 ffffffff 00000000 S /system/bin/rild
drm 277 1 15244 988 ffffffff 00000000 S /system/bin/drmserver
media 278 1 47428 4808 ffffffff 00000000 S /system/bin/mediaserver
root 282 2 0 0 ffffffff 00000000 S kauditd
install 283 1 1092 364 ffffffff 00000000 S /system/bin/installd
keystore 285 1 4632 904 ffffffff 00000000 S /system/bin/keystore
root 291 1 54912 392 ffffffff 00000000 S /system/bin/thermal-engine
media 292 1 2020 184 ffffffff 00000000 S /system/bin/adsprpcd
compass 294 1 1892 472 ffffffff 00000000 S /system/bin/akmd8963
root 295 1 915820 29328 ffffffff 00000000 S zygote
system 312 1 7640 580 ffffffff 00000000 S /system/bin/ATFWD-daemon
camera 314 1 18572 956 ffffffff 00000000 S /system/bin/mm-qcamera-daemon
system 315 1 7340 612 ffffffff 00000000 S /system/bin/time_daemon
system 316 1 2848 496 ffffffff 00000000 S /system/bin/qseecomd
diag 319 1 1772 324 ffffffff 00000000 S /system/bin/dropboxd
radio 325 1 4884 492 ffffffff 00000000 S /system/bin/subsystem_ramdump
root 398 2 0 0 ffffffff 00000000 D msm_thermalhot
root 399 2 0 0 ffffffff 00000000 D msm_thermalfre
radio 422 1 11720 604 ffffffff 00000000 S /system/bin/qmuxd
system 423 1 3360 420 ffffffff 00000000 S /system/bin/wcnss_service
mot_esdfs 431 1 376 40 ffffffff 00000000 S /system/bin/esdpll
radio 451 1 9100 712 ffffffff 00000000 S /system/bin/netmgrd
radio 519 276 5656 744 ffffffff 00000000 S /system/bin/qmi_motext_hook
root 588 2 0 0 ffffffff 00000000 S IPCRTR
root 611 2 0 0 ffffffff 00000000 S ipc_rtr_wcnss_i
system 616 316 7064 268 ffffffff 00000000 S /system/bin/qseecomd
root 635 2 0 0 ffffffff 00000000 S IPCRTR
root 638 2 0 0 ffffffff 00000000 S ipc_rtr_smd_ipc
root 646 2 0 0 ffffffff 00000000 D mdss_fb0
root 664 2 0 0 ffffffff 00000000 S kworker/u2H
root 794 2 0 0 ffffffff 00000000 S flush-1790
system 973 295 1086156 80116 ffffffff 00000000 S system_server
u0_a51 1262 295 1027052 34204 ffffffff 00000000 S com.android.chrome
u0_a24 1283 295 1041304 69324 ffffffff 00000000 S com.android.systemui
u0_a72 1360 295 930080 26036 ffffffff 00000000 S com.motorola.modemservice
u0_a39 1402 295 958684 22748 ffffffff 00000000 S com.google.android.googlequicksearchboxinteractor
u0_a67 1419 295 980136 40292 ffffffff 00000000 S com.android.inputmethod.latin
system 1504 295 937692 34156 ffffffff 00000000 S com.motorola.process.system
system 1520 295 923400 20796 ffffffff 00000000 S com.qualcomm.services.location
radio 1544 295 926216 24096 ffffffff 00000000 S com.android.server.telecom
radio 1567 295 974876 41816 ffffffff 00000000 S com.android.phone
u0_a26 1577 295 1113108 79968 ffffffff 00000000 S com.android.launcher
u0_i0 1628 295 939780 22648 ffffffff 00000000 S com.android.chromesandboxed_process0
u0_a107 1754 295 1004364 56068 ffffffff 00000000 S com.avast.android.mobilesecurity
u0_a19 1783 295 1046820 51492 ffffffff 00000000 S com.google.process.gapps
u0_a51 1890 295 988996 25800 ffffffff 00000000 S com.android.chromeprivileged_process0
u0_a19 1946 295 1209592 62924 ffffffff 00000000 S com.google.android.gms
u0_a19 2017 295 1041844 44736 ffffffff 00000000 S com.google.android.gms.persistent
u0_a99 2159 295 964492 35432 ffffffff 00000000 S org.telegram.messenger
root 2189 1 7984 512 ffffffff 00000000 S /system/bin/mpdecision
u0_a35 2664 295 981980 37524 ffffffff 00000000 S com.android.vending
u0_a161 3537 295 935620 29844 ffffffff 00000000 S com.agilesoftresource
u0_a143 3639 295 933896 24784 ffffffff 00000000 S com.icecoldapps.screenshoteasy
u0_a157 3678 295 927524 23408 ffffffff 00000000 S com.eolwral.osmonitornotification
u0_a0 3827 295 1046068 44524 ffffffff 00000000 S com.motorola.ccc
u0_a32 4252 295 940392 43328 ffffffff 00000000 S com.motorola.motocare
system 4739 295 925368 24164 ffffffff 00000000 S com.qualcomm.atfwd
u0_a30 5121 295 944868 27516 ffffffff 00000000 S com.motorola.MotGallery2
u0_a158 5562 295 1046700 39028 ffffffff 00000000 S com.phoenix.taskkiller
u0_a100 5585 295 1006656 54452 ffffffff 00000000 S com.whatsapp
u0_a101 5809 295 979440 30276 ffffffff 00000000 S com.yahoo.mobile.client.android.mail
u0_a156 5878 295 988360 26808 ffffffff 00000000 S co.vine.androidrecord
u0_a156 5920 295 950680 28852 ffffffff 00000000 S co.vine.android
u0_a91 6092 295 937060 26420 ffffffff 00000000 S com.llamalab.timesheet.free
u0_a173 6296 295 933652 30112 ffffffff 00000000 S com.mobileCounter
u0_a110 6834 295 935696 23328 ffffffff 00000000 S com.enlightment.voicecallrecorder
u0_a110 6915 6834 1116 104 ffffffff 00000000 S sh
u0_a110 6920 6915 940 296 ffffffff 00000000 S /data/data/com.enlightment.voicecallrecorder/files/daemon_new
u0_a101 7289 295 952076 28508 ffffffff 00000000 S com.yahoo.mobile.client.android.mailcom.yahoo.snp.service
u0_a49 7598 295 923488 25560 ffffffff 00000000 S com.android.cellbroadcastreceiver
root 12044 2 0 0 ffffffff 00000000 S kworker/02H
system 13173 295 967604 51220 ffffffff 00000000 S com.android.settings
mot_tcmd 13611 1 8892 1376 ffffffff 00000000 S /system/bin/tcmd
root 14847 2 0 0 ffffffff 00000000 S kworker/00
root 15028 2 0 0 ffffffff 00000000 S kworker/u1
shell 15127 1 4632 240 ffffffff 00000000 S /sbin/adbd
shell 15593 15127 1144 572 c01975c8 b6ee60c4 S /system/bin/sh
root 18628 2 0 0 ffffffff 00000000 S kworker/01
root 20097 2 0 0 ffffffff 00000000 S kworker/u2
u0_a113 20778 295 986316 36888 ffffffff 00000000 S com.microsoft.office.onenote
root 25750 2 0 0 ffffffff 00000000 S kworker/02
root 26111 2 0 0 ffffffff 00000000 S kworker/u3
root 26120 2 0 0 ffffffff 00000000 S kworker/u4
root 26273 2 0 0 ffffffff 00000000 S kworker/u5
root 26435 2 0 0 ffffffff 00000000 S kworker/u6
root 26436 2 0 0 ffffffff 00000000 S kworker/u7
root 26437 2 0 0 ffffffff 00000000 S kworker/u8
root 26438 2 0 0 ffffffff 00000000 S kworker/u9
root 26439 2 0 0 ffffffff 00000000 S kworker/u10
root 26440 2 0 0 ffffffff 00000000 S kworker/u11
root 26441 2 0 0 ffffffff 00000000 S kworker/u12
root 26442 2 0 0 ffffffff 00000000 S kworker/u13
root 26443 2 0 0 ffffffff 00000000 S kworker/u14
root 26444 2 0 0 ffffffff 00000000 S kworker/u15
root 26445 2 0 0 ffffffff 00000000 S kworker/u16
root 26446 2 0 0 ffffffff 00000000 S kworker/u17
root 26494 2 0 0 ffffffff 00000000 S WD_Thread
root 26498 2 0 0 ffffffff 00000000 S MC_Thread
root 26499 2 0 0 ffffffff 00000000 S TX_Thread
root 26500 2 0 0 ffffffff 00000000 S RX_Thread
root 26539 2 0 0 ffffffff 00000000 S wlan_logging_th
wifi 26540 1 7460 2196 ffffffff 00000000 S /system/bin/wpa_supplicant
root 26558 2 0 0 ffffffff 00000000 S kworker/03
root 26634 2 0 0 ffffffff 00000000 S kworker/00H
root 27952 2 0 0 ffffffff 00000000 S kworker/04
root 28029 2 0 0 ffffffff 00000000 S kworker/u18
u0_a39 28162 295 1074772 72412 ffffffff 00000000 S com.google.android.googlequicksearchboxsearch
u0_a19 28267 295 1010948 33780 ffffffff 00000000 S com.google.android.gms.wearable
u0_a27 28288 295 999880 62480 ffffffff 00000000 S com.android.mms
u0_a15 28523 295 927360 31268 ffffffff 00000000 S android.process.media
u0_a56 28560 295 946756 30960 ffffffff 00000000 S com.android.email
u0_a37 28746 295 930488 25064 ffffffff 00000000 S com.google.android.setupwizard
u0_a65 28880 295 1026564 50216 ffffffff 00000000 S com.google.android.talk
u0_a7 28952 295 928572 31700 ffffffff 00000000 S android.process.acore
u0_a82 28980 295 964772 33628 ffffffff 00000000 S com.google.android.apps.plus
root 29305 2 0 0 ffffffff 00000000 S migration/1
root 29306 2 0 0 ffffffff 00000000 S kworker/10
root 29307 2 0 0 ffffffff 00000000 S kworker/10H
root 29308 2 0 0 ffffffff 00000000 S ksoftirqd/1
root 29310 2 0 0 ffffffff 00000000 S kworker/11
shell 29320 15593 2736 764 00000000 b6f46c28 R ps


   
Quote
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
07/11/2015 3:02 pm  

Try to find suspicious activities and packages. You could take a look at below link for reference
http//www.cnblogs.com/pieces0310/p/4830825.html


   
ReplyQuote
 Skywalker
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter 08/11/2015 1:38 am  

Try to find suspicious activities and packages. You could take a look at below link for reference
http//www.cnblogs.com/pieces0310/p/4830825.html

Thank you for the link but it is vey incomprehensible. I mean, the author does not explain anything. It lacks a lot of steps…


   
ReplyQuote
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
08/11/2015 7:58 am  

Sorry for any inconvenience. I'm the author and I did not explain every step I took. Basically I will do dynamic and static analysis.
1. I will install OS monitor on that phone and take a look if any unusual process or network activities such as strange destination ip or port.
2. Then I will take a look at that phone in path data/data/, and see if any strange package name. For example in that article is "com.example.downloader".
3.If I find some Apps/apks strange, I will do dynamic test on emulator or anthoer android phone. Also I will decomplie that apk and take a look at its java code and manifest.xml.
4. Of course I could use IDA pro to look at that App thoroughly, but it is very time consuming.

My suggestion is as above. Hope it is helpful.


   
ReplyQuote
 Skywalker
(@skywalker)
Reputable Member
Joined: 11 years ago
Posts: 150
Topic starter 08/11/2015 11:46 pm  

Hello friend,

It's a very useful information. Which tool did you use to decompile?

Thanks!


   
ReplyQuote
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
09/11/2015 9:29 am  

You're welcome. The tools I use as below
1.dex2jar
2.apktool
3.JD-GUI
4.IDA Pro

Other tools like GIDB, snoop-it, AppUse, etc.


   
ReplyQuote
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
21/11/2015 8:03 am  

Of course it's decomplie tool. Frankly speaking there is few tools for analyzing Apps, so you will need such kind of tools to track its functions, methods, etc. You will need sandbox too. Maybe you guys could suggest what tools you use for analyzing Apps, especially for iOS Apps. I'd appreciate your providing me any info you have.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: