[FSec] Another Android Malware Utilizing a Root Exploit

Newsfeed

Nachrichtenbote
Another Android malware utilizing the root exploit "Rage Against The Cage" has benn found. We were able to find a sample ourselves, and we now detect it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

droidkungfu_create.jpg


droidkungfu_getpermission.jpg


This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

droidkungfu_checkpermission.jpg


Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

droidkungfu_screen.jpg


The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

• execDelete — execute command to delete a supplied file
• execHomepage — execute a command to open a supplied homepage
• execInstall — download and install a supplied APK
• execOpenUrl — open a supplied URL
• execStartApp — run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

• imei — IMEI number
• ostype — Build version release, e.g., 2.2
• osapi — SDK version
• mobile — users' mobile number
• mobilemodel — Phone model
• netoperator — Network Operator
• nettype — Type of Net Connectivity
• managerid — hard-coded value which is "sp033"
• sdmemory — SD card available memory
• aliamemory — Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."

The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."

Threat Solutions post by — Zimry

—————

Updated to clarify: The original discovery of the trojan was by a research team at North Carolina State University. We were able to independently find a sample for our own analysis.
On 06/06/11 At 07:54 AM

Weiterlesen...
 
Zurück
Oben