Security Alert: New Root-Capable DroidDeluxe Malware Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

After discovering the GingerMaster malware, my research team, in collaboration with NQ Mobile, recently identified another new malware -- DroidDeluxe -- with a root exploit for Android-based phones (running 2.2 and below). This malware claims to have the functionality of recovering user's password from the phone. But instead of leveraging legitimate ways to access user's credential information, it takes the (extreme) approach of silently rooting the phone. The way to root the phone is essentially based on the Rageagainstthecage/Zimperlich root exploit (which has been similarly used by DroidDream, BaseBridge, and DroidKungFu). Our investigation shows that this malware does not provide the claimed password recovery capability. Instead after rooting the phone, it simply makes world-accessible a few related files that contain users' credentials. Our analysis further shows that its current payload seems rather limited and are not clearly malicious. However, similar to zHash, it immediately creates a hole in the phone and makes it abusable by other apps to bypass or break the built-in security protection of Android.

How it works

After being launched, DroidDeluxe will collect a variety of information from the device, including the phone model, the manufacturer and the brand. The collected information will be uploaded through the Google Analytics network (with account ID: UA-19670793-1).

Our analysis shows that DroidDeluxe packages the Rageagainstthecage/Zimperlich root exploit in an executable named password. When it runs, it will start the exploitation process in the background without user's awareness (to obtain the root privilege). If successful, it will then launch another embedded executable named special. This special program essentially changes the file mode of account-related files in the phone and makes them world-readable and world-writable. Based on our current investigation, the affected files include

These files contains user's confidential information such as accounts name, authtoken, contacts and so on. Though our current analysis does not reveal any other malicious payload, it already seriously puts users at the risk.


Due to the fact that DroidDeluxe contains a root exploit, we consider it poses one of the most serious threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,


Last modified: September 1st, 2011