After discovering the
GingerMaster malware, my research team, in collaboration with NQ Mobile,
recently identified another new malware -- DroidDeluxe -- with a root exploit for Android-based phones
(running 2.2 and below).
This malware claims to have the functionality of recovering user's password from
the phone. But instead of leveraging legitimate ways to access user's credential information,
it takes the (extreme) approach of silently
rooting the phone. The way to root the phone is essentially
based on the Rageagainstthecage/Zimperlich root exploit (which has been similarly
Our investigation shows that this malware does not provide the claimed password
recovery capability. Instead after rooting the phone, it simply makes world-accessible
a few related files that contain users' credentials.
Our analysis further shows that its current payload seems rather limited and are not clearly malicious.
similar to zHash, it immediately creates a hole in the phone and makes it abusable by
other apps to bypass or break the built-in security protection of Android.
After being launched, DroidDeluxe will collect a variety of information from the device,
including the phone model, the manufacturer and the brand. The collected information will be
uploaded through the Google Analytics network (with account ID: UA-19670793-1).
Our analysis shows that DroidDeluxe packages the Rageagainstthecage/Zimperlich root exploit in an executable named password. When it runs, it will start the exploitation process in the background without user's awareness (to obtain the root privilege). If successful, it will then launch another embedded executable named special. This special program essentially changes the file mode of account-related files in the phone and makes them world-readable and world-writable. Based on our current investigation, the affected files include
Last modified: September 1st, 2011