Security Alert: New Root-Capable DroidDeluxe Malware Found in Alternative Android Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
After discovering the
GingerMaster malware, my research team, in collaboration with NQ Mobile,
recently identified another new malware -- DroidDeluxe -- with a root exploit for Android-based phones
(running 2.2 and below).
This malware claims to have the functionality of recovering user's password from
the phone. But instead of leveraging legitimate ways to access user's credential information,
it takes the (extreme) approach of silently
rooting the phone. The way to root the phone is essentially
based on the Rageagainstthecage/Zimperlich root exploit (which has been similarly
used by
DroidDream,
BaseBridge,
and DroidKungFu).
Our investigation shows that this malware does not provide the claimed password
recovery capability. Instead after rooting the phone, it simply makes world-accessible
a few related files that contain users' credentials.
Our analysis further shows that its current payload seems rather limited and are not clearly malicious.
However,
similar to zHash, it immediately creates a hole in the phone and makes it abusable by
other apps to bypass or break the built-in security protection of Android.
How it works
After being launched, DroidDeluxe will collect a variety of information from the device,
including the phone model, the manufacturer and the brand. The collected information will be
uploaded through the Google Analytics network (with account ID: UA-19670793-1).
Our analysis shows that DroidDeluxe packages the Rageagainstthecage/Zimperlich root exploit in an executable named
password. When it runs, it will start the exploitation process in the background without
user's awareness (to obtain the root privilege). If successful, it will then launch another
embedded executable named special. This special program essentially changes the file mode of account-related
files in the phone and makes them world-readable and world-writable. Based on our current
investigation, the affected files include
- /data/system/accounts.db
- /data/data/com.android.email/databases/EmailProvider.db
- /data/data/com.android.providers.contacts/databases/contacts2.db
- /data/data/com.android.providers.telephony/databases/mmssms.db
These files contains user's confidential information such
as accounts name, authtoken, contacts and so on. Though our current analysis does not reveal any
other malicious payload, it already seriously puts users at the risk.
Mitigation:
Due to the fact that DroidDeluxe contains a root exploit, we consider it poses one of
the most serious threats to mobile users.
For mitigation, please follow common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 9/1/2011: We detected the first DroidDeluxe malware.
Last modified: September 1st, 2011