Newsfeed
Nachrichtenbote
DroidKungFu has been around for a while, and most of the variants have been identified and detected by most Anti-Virus products. However, our investigation on its technique and infection vector reveals something more interesting.
We first mentioned about 'Update Attack' in a previous post on Spyware:Android/SndApps.A. While others may see Update Attack as a simple way to infect a device, the actual scenario with DroidKungFu might be trickier. DroidKungFu is known to use a harmless application to deliver its payload. And at this point, we cannot tell whether the distribution server was compromised or the developer itself is the creator of the malware.
Upon closer investigation, we discovered that DroidKungFu has been using the Update Attack method and the older version of the application was available on the official Android Market for a month at some point. While the latest identified DroidKungFu version is no longer available on the official Android Market, it is still available in the third party Chinese market.
The application in question is called com.ps.keepaccount, and a quick check into its content reveals a couple of findings.
The original application with SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54 does not show any trace of DroidKungFu at first glimpse.
Content and installation permission
Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware.
The series of screenshots below shows what happen during the update process:
In the last screenshot, the application was shown to have stopped unexpectedly. It is probably due to an error as this variant of DroidKungFu is still using the exploit for Android OS version 2.2, and the tested phone is using Android OS version 2.3.
Below is the packet capture during the update process showing the source of the updated application:
Compared to the original version, the updated application requested for two additional permissions that would allow it to access SMS, MMS and the device's location. But it is more important to take note that the updated application was using an exploit to gain root privilege, which would enable it to perform more damage. While a difference in permissions may not be the best way to identify whether an update is malicious, it is still a good practice to be aware and suspicious if an application update is requesting for different permissions.
A quick view into the contents of the updated application with SHA-1: 7cd1122966da7bc4adfabb28be6bfae24072c1c6:
A standalone malicious copy of the DroidKungFu is the init.db, where init.db is not actually a database file but an encrypted APK file that will be installed by the application when it gains root privilege.
To verify that this application is indeed DroidKungFu, let's take a look at the code:
The "WP" is the key for its decryption that is an ASCII representation, which when converted become "Deta_C1*T#RuOPrs".
Further verification reveals that this application is indeed a variant of DroidKungFu, and we detected it since August 18, 2011 as Trojan:Android/DroidKungFu.C.
The Virus Total result of the DroidKungFu Update is available here.
And, here is the detection result of the updater application.
Threat Solutions post by Zimry, Irene and Yeh
On 25/10/11 At 06:28 AM
Weiterlesen...
We first mentioned about 'Update Attack' in a previous post on Spyware:Android/SndApps.A. While others may see Update Attack as a simple way to infect a device, the actual scenario with DroidKungFu might be trickier. DroidKungFu is known to use a harmless application to deliver its payload. And at this point, we cannot tell whether the distribution server was compromised or the developer itself is the creator of the malware.
Upon closer investigation, we discovered that DroidKungFu has been using the Update Attack method and the older version of the application was available on the official Android Market for a month at some point. While the latest identified DroidKungFu version is no longer available on the official Android Market, it is still available in the third party Chinese market.
The application in question is called com.ps.keepaccount, and a quick check into its content reveals a couple of findings.
The original application with SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54 does not show any trace of DroidKungFu at first glimpse.
Content and installation permission
Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware.
The series of screenshots below shows what happen during the update process:
In the last screenshot, the application was shown to have stopped unexpectedly. It is probably due to an error as this variant of DroidKungFu is still using the exploit for Android OS version 2.2, and the tested phone is using Android OS version 2.3.
Below is the packet capture during the update process showing the source of the updated application:
Compared to the original version, the updated application requested for two additional permissions that would allow it to access SMS, MMS and the device's location. But it is more important to take note that the updated application was using an exploit to gain root privilege, which would enable it to perform more damage. While a difference in permissions may not be the best way to identify whether an update is malicious, it is still a good practice to be aware and suspicious if an application update is requesting for different permissions.
A quick view into the contents of the updated application with SHA-1: 7cd1122966da7bc4adfabb28be6bfae24072c1c6:
A standalone malicious copy of the DroidKungFu is the init.db, where init.db is not actually a database file but an encrypted APK file that will be installed by the application when it gains root privilege.
To verify that this application is indeed DroidKungFu, let's take a look at the code:
The "WP" is the key for its decryption that is an ASCII representation, which when converted become "Deta_C1*T#RuOPrs".
Further verification reveals that this application is indeed a variant of DroidKungFu, and we detected it since August 18, 2011 as Trojan:Android/DroidKungFu.C.
The Virus Total result of the DroidKungFu Update is available here.
And, here is the detection result of the updater application.
Threat Solutions post by Zimry, Irene and Yeh
On 25/10/11 At 06:28 AM
Weiterlesen...