Security Alert: New DroidKungFu Variants Found in Alternative Chinese Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing the investigation of an earlier reported DroidKungFu malware, my research team came across two new variants. Though they are similarily repackaged and distributed in the form of "legitimate" applications, these two variants are different from the original one by (1) re-implementing some of their malicious functionalities in native code (instead of the previously Dalvik code based on Java); and (2) supporting two additional command and control (C&C) domains. The changes are possibly in place to make their detection and analysis harder. For example, the new variants bypass the detection from some leading anti-virus software that detect the original DroidKungFu. Also, they increase the difficulity of reverse engineering for analysis. We felt that these changes reflect the evolving malware development on Android (or smartphones in general).

Getting started

The repackaged apps infected with the DroidKungFu variants are made available through a number of alternative app markets and forums targeting Chinese-speaking users. Similar to the precedent, one variant will add into the infected app a new service and a new receiver. The receiver will be notified when the system finishes booting so that it can automatically launch the service without user interaction. Another variant direclty modifies the host app to launch the service.

Phoning home

Once the service gets started, DroidKungFu variants will collect a variety of information on the infected mobile phone, including the IMEI number, phone model, as well as the Android OS version. The collected informaiton is then dumped to a local file that is later sent to a remote server in the background. We notice that the phoning-home functionality was previously implemented in Java (and thus is relatively easy to reverse engineer). However, the new variants completely move them into native code, which makes the analysis and detection harder. Also, we found that instead of contacting a single C&C server, the new variants have the built-in support of three different C&C servers.

Launching the exploits

As its preceent, one DroidKungFu variant carries with itself the same root-level exploits to obtain the root privilege. (The other one resides in the host app that already requires a rooted phone.) The following code snippet shows one of them, which is related to an embedded file named "secbino". If successful, the malware can elevate its privilege to root. (Note that recent Android versions have patched this bug and this exploit will not be successful.) In this case, the variant will attempt to detect whether the phone has been already rooted and if so further request for the root privilege. In either case, the malware will still phone home with collected phone information (e.g., IMEI and phone model etc).

Dropping more malware and others

After obtaining the root privilege, the DroidKungFu variants can essentially access arbitrary files in the phone and have the capability to install or remove any packages. Based on our initial analysis of the built-in binary payloads, they have the functionality to install/uninstall the package and change the homepage of web browser without user knowledge.

Mitigation:

For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: July 1, 2011