Security Alert: New Sophisticated Android Malware DroidKungFu Found in Alternative Chinese App Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Update: My research identified new DroidKungFu variants. Please see our analysis here

On 05/31/2011, while working on an Android-related research project, my research team came across a new sophisticated Android malware DroidKungFu, which has not been reported before. This malware is capable of rooting the vulnerable Android phones and may successfully evade the detection from current mobile anti-virus software. This malware is identified from four Android apps (including two games) that have been circulated among at least eight alternative Chinese app markets and forums. The interesting part about the malware is that it encrypts two known root exploits -- a udev exploit and a so-called rageagainstthecage exploit. When it runs, the malware decrypts these two exploits and then execute them to launch the attack. We have tested it on two leading mobile security apps and neither detected DroidKungFu.

Getting started

The DroidKungFu malware is included in repackaged apps made available through a number of alternative app markets and forums targeting Chinese-speaking users. The malware will add into the infected app a new service and a new receiver. The receiver will be notified when the system finishes booting so that it can automatically launch the service without user interaction.

Phoning home

Once the service gets started, DroidKungFu will collect a variety of information on the infected mobile phone, including the IMEI number, phone model, as well as the Android OS version.

With the collected information, the malware phones home by making a HTTP Post to a hard-coded remote server -- http://xxxxxx.xxxxxx.com:8511/search/sayhi.php.

Launching the exploits

If we take a close look inside the new service added by the malware, the onCreate() method will attempt to get root access on the phone using two separate exploits -- the same exploits used by the DroidDream malware [1]. The following code snippet shows one of them, which is related to an embedded file named "ratc" (the acronym of "RageAgainstTheCage"). This file is encrypted but will be decrypted at runtime (with the copyAssets method) and then executed to exploit the adb resource exhaustion bug, which affects Android 2.2 or below (NOTE: more than 85% of Android device runs on Android 2.2 and Android 2.1 [2]). If successful, the malware can elevate its privilege to root. Recent Android versions (2.3+) have patched this bug and this exploit will not be successful. In this case, the malware will attempt to detect whether the phone has been already rooted and if so further request for the root privilege. In either case, the malware will still phone home with collected phone information (e.g., IMEI and phone model etc).

Dropping more malware and others

After obtaining the root privilege, the DroidKungFu malware can essentially access arbitrary files in the phone and have the capability to install or remove any packages. One built-in payload of DroidKungFu is to install a hidden app named legacy after getting the root privilege. The app is embedded as part of the infected host app and pretends to be the legitimate Google Search app bearing with the same icon. It turns out that the fake app is a backdoor, which connects back to the remote server for instructions and essentially converts the compromised phone into a bot!

Mitigation:

For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

Follow-ups:

We are currently discussing this discovery with leading anti-virus software companies to better protect smartphone users. For responsible disclosure, we would like to follow the common wisdom by informing users about the potential risk without making the samples to public.

Related links:

Last modified: June 23, 2011