Security Alert: New Android Malware -- DKFBootKit -- Moves Towards The First Android BootKit

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

In collaboration with NQ Mobile, when monitoring the evolution of DroidKungFu, we came across a new variant called DKFBootKit. While it uses known techniques to piggyback malicious payloads into legitimate apps, it intentionally chooses legitimate apps that require root privilege to facilitate its payload. Specifically, by taking advantage of the root privilege, DKFBootKit adds itself as a part of the boot sequence of the original Android system and replaces a number of utility programs (e.g., ifconfig and mount). By doing so, the malware can get started even before the entire Android framework is bootstraped. To the best of our knowledge, this malware is the first of its kind in moving towards a full-fledged bootkit on Android, which represents a serious threat to mobile users. Based on our initial investigation, we have so far identified more than 100 infected malware samples and it seems this number continues to grow at the time of writing this report.

How it works

As mentioned earlier, DKFBootKit piggybacks on legitimate apps. However, the victim apps it chooses to infect are utility apps which require the root privilege to work properly. In the samples we analyzed, the infected apps range from ones managing apps installed on the phone, unlocking popular games, to others providing the license keys for some (premium) paid apps. These apps seem to have legitimate reasons to request root privilege for their own functionality. It is also reasonable to believe that users will likely grant the root privilege to these apps. However, DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity. We believe DKFBootKit is much more stealthy than the earlier DroidKungFu variants, which rely on existing exploits to gain root privilege. In the following, we show a screenshot of one DKFBootKit-infected sample that intends to provide the license key for a paid version of ROM managent app.

Based on our study, DKFBootKit adds a common background service to victim apps, which once run will release a hidden executable program. This hidden program will check whether it has the root privilege. If not, it terminates itself. Otherwise, it mounts the system partition as writable, copies itself into the /system/lib directory, replaces several commonly-used utility programs (e.g., ifconfig and mount), and alters related daemons (e.g., vold and debuggerd) and bootstrap-related scripts. The purpose seems to allow itself to run earlier than the Android framework is initialized to start other apps. Moreover, the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands. It's worth mentioning that because DKFBootKit utilizes the root privilege, it can execute arbitrary commands. We are still in the process of actively monitoring DKFBootKit C&C servers. An initial investigation of these C&C servers show that the related domains were registered in January, 2012.

Mitigation:

We found this malware in unofficial Android Markets. To the best of our knowledge, we do not find the threat in the official Android Market (now Google Play). For mitigation, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: April 2, 2012