The Latest in IT Security

Another Android malware utilizing a root exploit


Another Android malware utilizing the root exploit “Rage Against The Cage” has been found, and we detected it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the application. This application points to the Trojan:Android/DroidKungFu.A‘s service component that will start a service On the creation of this service, it will call the function getPermission() that will install an embedded APK.

droidkungfu_create (47k image)

droidkungfu_getpermission (56k image)

This will call for checkPermission() that will check if is already existed. If not, it will install the “legacy” file, which is an APK file, to the “system/app” (the application folder).

droidkungfu_checkpermission (95k image)

Infection: Part 2

The second part deals with the main malware component, As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the installed.

droidkungfu_screen (194k image)

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  • execDelete – execute command to delete a supplied file
  • execHomepage – execute a command to open a supplied homepage
  • execInstall – download and install a supplied APK
  • execOpenUrl – open a supplied URL
  • execStartApp – run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  • imei – IMEI number
  • ostype – Build version release, e.g., 2.2
  • osapi – SDK version
  • mobile – users’ mobile number
  • mobilemodel – Phone model
  • netoperator – Network Operator
  • nettype – Type of Net Connectivity
  • managerid – hard-coded value which is “sp033”
  • sdmemory – SD card available memory
  • aliamemory – Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to “http://search.gong[…].php.”

The malware obtains the commands from “http://search.gong[…].php” by posting in the “imei,” “managerid” and root value. It also reports the status of the commands on “http://search.gong[…].php” by posting in “imei,” “taskid,” “state” and “comment.”

Threat Solutions post by – Zimry

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments