In collaboration with NQ Mobile, when monitoring the evolution of DroidKungFu, we came across a new variant called DKFBootKit. While it uses known techniques to piggyback malicious payloads into legitimate apps, it intentionally chooses legitimate apps that require root privilege to facilitate its payload. Specifically, by taking advantage of the root privilege, DKFBootKit adds itself as a part of the boot sequence of the original Android system and replaces a number of utility programs (e.g., ifconfig and mount). By doing so, the malware can get started even before the entire Android framework is bootstraped. To the best of our knowledge, this malware is the first of its kind in moving towards a full-fledged bootkit on Android, which represents a serious threat to mobile users. Based on our initial investigation, we have so far identified more than 100 infected malware samples and it seems this number continues to grow at the time of writing this report.
Based on our study, DKFBootKit adds a common background service to victim apps, which once run will release a hidden executable program. This hidden program will check whether it has the root privilege. If not, it terminates itself. Otherwise, it mounts the system partition as writable, copies itself into the /system/lib directory, replaces several commonly-used utility programs (e.g., ifconfig and mount), and alters related daemons (e.g., vold and debuggerd) and bootstrap-related scripts. The purpose seems to allow itself to run earlier than the Android framework is initialized to start other apps. Moreover, the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands. It's worth mentioning that because DKFBootKit utilizes the root privilege, it can execute arbitrary commands. We are still in the process of actively monitoring DKFBootKit C&C servers. An initial investigation of these C&C servers show that the related domains were registered in January, 2012.
Last modified: April 2, 2012