Security Alert: New Sophisticated Android Malware DroidKungFu Found in Alternative Chinese App Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
My research identified new DroidKungFu variants. Please see our analysis here
On 05/31/2011, while working on an Android-related research project, my research team came
across a new sophisticated Android malware DroidKungFu, which has not been reported
before. This malware is capable of rooting the vulnerable Android phones and may successfully evade
the detection from current mobile anti-virus software.
This malware is identified from four Android apps (including two games) that have been circulated among at least
eight alternative Chinese app markets and forums.
The interesting part about the malware is that it encrypts two known root exploits --
a udev exploit
and a so-called rageagainstthecage exploit. When it runs, the malware decrypts these two exploits and then execute them to launch the attack. We have tested it
on two leading mobile security apps and neither detected DroidKungFu.
The DroidKungFu malware is included in repackaged apps made available through a number of
alternative app markets and forums targeting Chinese-speaking users. The malware will add into
the infected app a new service and a new receiver. The receiver will be notified
when the system finishes booting so that it can automatically launch the service without user
Once the service gets started, DroidKungFu will collect a variety of information
on the infected mobile phone, including the IMEI number, phone model, as well as the Android OS version.
With the collected information, the malware phones home by making a HTTP Post to a hard-coded remote server -- http://xxxxxx.xxxxxx.com:8511/search/sayhi.php.
Launching the exploits
If we take a close look inside the new service added by the malware, the onCreate() method will attempt to get root access on the phone using two separate exploits -- the same exploits used by the DroidDream malware . The following code snippet shows one of them, which is related to an embedded file named "ratc" (the acronym of "RageAgainstTheCage").
This file is encrypted but will be decrypted at runtime (with the copyAssets method) and then executed to exploit the adb resource exhaustion bug, which affects Android 2.2 or below (NOTE: more than 85% of Android device runs on Android 2.2 and Android 2.1 ). If successful, the malware can elevate its privilege to root. Recent Android versions (2.3+) have patched this bug and this exploit will not be successful. In this case, the malware will attempt to detect whether the phone has been already rooted and if so further request for the root privilege. In either case, the malware will still phone home with collected phone information (e.g., IMEI and phone model etc).
Dropping more malware and others
After obtaining the root privilege, the DroidKungFu malware can essentially access arbitrary files in the phone and have the capability to install or remove any packages. One built-in payload of DroidKungFu is to install a hidden app named legacy after getting the root privilege. The app is embedded as part of the infected host app and pretends to be the legitimate Google Search app bearing with the same icon. It turns out that the fake app is a backdoor, which connects back to the remote server for instructions and essentially converts the compromised phone into a bot!
For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
We are currently discussing this discovery with leading anti-virus software companies to better protect smartphone users.
For responsible disclosure, we would like to follow the common wisdom by informing users about the potential risk without making the samples to public.
- 6/29/2011: My research identified new DroidKungFu variants. Please see our analysis here
- 6/7/2011: Based on the information we collected (including our own experiments), a number of mobile anti-virus software companies (e.g., Lookout, BitDefender, TrendMicro, and F-Secure) are now able to detect or block this malware.
- 6/5/2011: We have been busy in contacting or being contacted from leading mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, Kaspersky, AVG, AegisLab, SmrtGuard, Juniper, Kinetoo, BitDefender, Google, ...
- 6/4/2011: This article goes public.
- 5/31/2011: The first DroidKungFu sample is detected.
Last modified: June 23, 2011