New DroidKungFu Variant -- DroidKungFuSapp -- Emerges!
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
My research team, in collaboration with NQ Mobile,
recently discovered a new DroidKungFu variant: DroidKungFuSapp. This variant
piggybacks on the legitimate apps and injects various malicious payloads into these
apps. From our current analysis, this malware has two main differences from
previous DroidKungFu variants.
- First, it uses a different command and control (C&C) server,
which is not seen before. The use of a different C&C server seems an attempt to bypass
network-based detection of earlier varaints.
- Second, this variant has changed its payload code, including
the package name, class hierarchy and the structure of the payload.
These changes are presumably in place to circumvent the detection of existing mobile anti-virus software.
As of this writing, these changes seem effective -- our experiments with four popular mobile anti-virus
software show that they fail to detect it.
A detailed technical analysis and possible mitigation can be found here.
Last modified: November 21st, 2011