The Latest in IT Security

Android/DroidKungFu: attacking from a mobile device?

16
Jun
2011

The Android malware DroidKungFu reports back to the following URLs:

http://[REMOVED]fu-android.com:8511/search/rpty.php

http://[REMOVED]fu-android.com:8511/search/getty.php

http://[REMOVED]fu-android.com:8511/search/sayhi.php

A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection…) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather surprising since, usually, attacks on mobile phones (especially command & control servers) are conducted from a host on the Internet.

$ whois [REMOVED]6.37.93
 ...
 inetnum:      [REMOVED]4.0.0 - [REMOVED].255.255
 netname:      [REMOVED]NET-JS
 descr:        [REMOVED]NET jiangsu province network
 descr:        [REMOVED - Belongs to a Chinese operator] Telecom
 descr:        A12,Xin-Jie-Kou-Wai Street
 descr:        Beijing 100088
 country:      CN
 admin-c:      CH93-AP
 tech-c:       CJ186-AP
 mnt-by:       APNIC-HM
 mnt-lower:    MAINT-[REMOVED]NET-JS
 mnt-routes:   MAINT-[REMOVED]NET-JS
 ...
 status:       ALLOCATED PORTABLE
 source:       APNIC

We tried to fingerprint the operating system of the host at that IP address:

curl -F 'imei=12345899;managerid=yutian07' -A 'Mozilla/5.0 (Linux; U;
  Android 2.1-update1; en-us; ADR6300 Build/ERE27)
  AppleWebKit/530.17 (KHTML, like Gecko)
  Version/4.0 Mobile Safari/530.17'

http://[REMOVED]fu-android.com:8511/search/sayhi.php

OK

We can try a few other combinations, but they don’t tell much more about the OS it’s running on.

Let’s try a telnet:

So, it’s (likely) an Apache 2.2.3 on a CentOS. Another telnet on Port 22 tells us there’s an SSH 4.3 server too:

telnet [REMOVED]fu-android.com 22
Trying [REMOVED]7.93...
Connected to [REMOVED]fu-android.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3

It is technically possible to run a web server and an SSH server on an Android phone, but they would probably offer poor performance. I would rather go for an Android tablet or a computer with a 2G/3G connection.
Any other assumption or comment on the motivation behind this Android malware?

– the Crypto Girl

Leave a reply


Categories

MONDAY, AUGUST 02, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments