New DroidKungFu Variants -- Again!

Security Alert: New DroidKungFu Variant -- AGAIN! -- Found in Alternative Android Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

It seems smartphone malware authors are diligent and hard-working to protect their own "intellectual property" -- malware by evolving/bringing them to the next level. After discovering the original DroidKungFu malware in June and its DroidKungFu2 variant in July, our research team, in collaboration with NQ Mobile, recently identified a new wave of DroidKungFu-infected apps this August. The new variant or DroidKungFu3 is much more "advanced" than previous versions -- as it is clearly designed to evade the detection from existing mobile anti-virus software. More specifically, this variant is equipped with new protection mechanisms by (1) obfuscating remote C&C server URLs (instead of including them as plaintext in earlier versions); (2) hiding all malware-related native binaries with encryption; and (3) masquerading an embedded app as the official Google Update. These obfuscation mechanisms as well as various differences from earlier versions are a clear sign behind the rapid evoluation of Android malware.

How it works

Once installed on the phone, this DroidKungFu variant will "phone home" with various information collected from the device, including IMEI, OS version number, and phone model. Specifically, instead of including plaintex remote server URLs, the malware encrypts them and has three C&C servers for additional redundancy or robustness. The following figures show the uncovered URLs of the C&C server as well as the decryption method used in the DroidKungFu variant.

Similar to the earlier variants, this new version also carries with two root exploits. To avoid being detected, these root exploits are encypted. Our analysis shows that one of them is the well-known "RageAgainstTheCage" root exploit and the other exploits the adb resource exhaustion bug, which affects Android 2.2 or below (NOTE: more than 85% of Android device runs on Android 2.2 and Android 2.1). If successful, the malware can elevate its privilege to root. Recent Android versions (2.3+) have patched these bugs and these two exploits will not be successful. In this case, the malware will attempt to detect whether the phone has been already rooted and if so further request for the root privilege. In either way, the malware will still phone home with collected phone information (e.g., IMEI and phone model etc).

Inside the infected app, there exists an (encrypted) embedded apk that the malware will attempt to install after getting the root privilege. Specifically, the embedded apk, once decrypted, appears to be a fake Google Update app. If installed, this embedded apk does not show any icon in the home screen. Our analysis shows that this app is actually a backdoor, which will connect back to a remote server for instructions. In essence, it effectively converts the compromised phone into a bot.

How it evolves (from earlier versions)

Within a short two-month period from June to August 2011, we have already identified three different versions of DroidKungFu malware. Clearly, while the anti-virus companies diligently push out signatures to detect malware in the wild, the malware authors are also working hard to evolve malware at a rapid pace to avoid detection. Considering the current pace the malware is evolving, we anticipate the arm race will be observed to be more intense in the future.

The following table lists the key differences we observed among these three variants of DroidKungFu malware: DroidKungFu1 is the very first DroidKungFu sample we discovered in June, 2011. DroidKungFu2 is the second variant we detected in July, 2011. DroidKung3 is the most recent one we are reporting in this article.

It is evident from the table that DroidKungFu malware is evolving in multiple aspects. For example, the first version DroidKungFu1 includes one (and only one) C&C server hardcoded in Java code as plaintext; the second version DroidKungFu2 evolves it by having three C&C servers and including them in native code, which makes it diffuclt for reverse engineering analysis. The current version DroidKungFu3 makes a step further by encrypting them instead of simply including them as plaintext. It is also worth noting the time line of these variants. In particular, though new signatures are timley pushed out to protect users, malware authors are also diligently releasing new variant (one per month in this case) to evade the detection. Our experiments show that each new variant of DroidKungFu malware can successfully evade the detection by most, if not all, leading (full-patched) mobile anti-virus softwares at the time we discover it.

Mitigation:

Due to the fact that DroidKungFu contains root exploits, we consider it poses one of the most serious threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,

download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.

Follow-ups:

8/17/2011: This article goes public.
8/15/2011: We detected the new DroidKungFu malware in 38 different apps.

Last modified: August 17th, 2011