The Latest in IT Security

Another Android malware utilizing a root exploit

06
Jun
2011

Another Android malware utilizing the root exploit “Rage Against The Cage” has been found, and we detected it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A‘s service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

droidkungfu_create (47k image)

droidkungfu_getpermission (56k image)

This will call for checkPermission() that will check if com.google.ssearch.apk is already existed. If not, it will install the “legacy” file, which is an APK file, to the “system/app” (the application folder).

droidkungfu_checkpermission (95k image)

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

droidkungfu_screen (194k image)

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  • execDelete – execute command to delete a supplied file
  • execHomepage – execute a command to open a supplied homepage
  • execInstall – download and install a supplied APK
  • execOpenUrl – open a supplied URL
  • execStartApp – run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  • imei – IMEI number
  • ostype – Build version release, e.g., 2.2
  • osapi – SDK version
  • mobile – users’ mobile number
  • mobilemodel – Phone model
  • netoperator – Network Operator
  • nettype – Type of Net Connectivity
  • managerid – hard-coded value which is “sp033”
  • sdmemory – SD card available memory
  • aliamemory – Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to “http://search.gong[…].php.”

The malware obtains the commands from “http://search.gong[…].php” by posting in the “imei,” “managerid” and root value. It also reports the status of the commands on “http://search.gong[…].php” by posting in “imei,” “taskid,” “state” and “comment.”

Threat Solutions post by – Zimry

Leave a reply


Categories

SUNDAY, DECEMBER 15, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments