Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing the investigation of an earlier reported DroidKungFu
malware, my research team came across two new variants. Though they are similarily repackaged and distributed
in the form of "legitimate" applications, these two variants are different from the original one by (1) re-implementing some of their malicious
functionalities in native code (instead of the previously Dalvik code based on Java); and (2) supporting two additional command and control (C&C) domains.
The changes are possibly in place to make their detection and analysis harder. For example, the new variants bypass
the detection from some leading anti-virus software that detect the original DroidKungFu. Also, they increase the difficulity of reverse engineering for analysis. We felt that these changes reflect the evolving malware development on Android (or smartphones in general).
Getting started
The repackaged apps infected with the DroidKungFu variants are made available through a number of
alternative app markets and forums targeting Chinese-speaking users. Similar to the precedent, one variant will add into
the infected app a new service and a new receiver. The receiver will be notified
when the system finishes booting so that it can automatically launch the service without user
interaction. Another variant direclty modifies the host app to launch the service.
Phoning home
Once the service gets started, DroidKungFu variants will collect a variety of information
on the infected mobile phone, including the IMEI number, phone model, as well as the Android OS version.
The collected informaiton is then dumped to a local file that is later sent to a remote server in the background. We notice that the phoning-home
functionality was previously implemented in Java (and thus is relatively easy to reverse engineer). However,
the new variants completely move them into native code, which makes the analysis and detection harder.
Also, we found that instead of contacting a single C&C server, the new variants have the built-in support of three different C&C servers.
Launching the exploits
As its preceent, one DroidKungFu variant carries with itself the same root-level exploits to obtain
the root privilege. (The other one resides in the host app that already requires a rooted phone.)
The following code snippet shows one of them, which is related to an embedded file named
"secbino". If successful, the malware can elevate its privilege to root.
(Note that recent Android versions have patched this bug and this exploit will not be successful.)
In this case, the variant will attempt to detect whether the phone has been already rooted and if
so further request for the root privilege. In either case, the malware will still phone home with collected phone information (e.g., IMEI and phone model etc).
Dropping more malware and others
After obtaining the root privilege, the DroidKungFu variants can essentially access arbitrary files
in the phone and have the capability to install or remove any packages. Based on our initial analysis
of the built-in binary payloads, they have the functionality to install/uninstall the package and change
the homepage of web browser without user knowledge.
Mitigation:
For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 7/1/2011: We have been busy in contacting or being contacted from leading mobile anti-virus companies and research labs, including Lookout, Symantec, F-Secure, Sophos, Google, Webroot, G Data Software AG, iPolicy Networks, ...
- 7/1/2011: This article goes public.
- 6/29/2011: The two new DroidKungFu variants are detected in nine different apps.
Last modified: July 1, 2011