Another Android malware utilizing a root exploit

Another Android malware utilizing the root exploit “Rage Against The Cage” has been found, and we detected it as Trojan:Android/DroidKungFu.A.

This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A‘s service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

droidkungfu_create (47k image) droidkungfu_getpermission (56k image)

This will call for checkPermission() that will check if com.google.ssearch.apk is already existed. If not, it will install the “legacy” file, which is an APK file, to the “system/app” (the application folder).

droidkungfu_checkpermission (95k image)

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

droidkungfu_screen (194k image)

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

  • execDelete – execute command to delete a supplied file
  •  

  • execHomepage – execute a command to open a supplied homepage
  •  

  • execInstall – download and install a supplied APK
  •  

  • execOpenUrl – open a supplied URL
  •  

  • execStartApp – run or start a supplied application package
  •  

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

  • imei – IMEI number
  •  

  • ostype – Build version release, e.g., 2.2
  •  

  • osapi – SDK version
  •  

  • mobile – users’ mobile number
  •  

  • mobilemodel – Phone model
  •  

  • netoperator – Network Operator
  •  

  • nettype – Type of Net Connectivity
  •  

  • managerid – hard-coded value which is “sp033”
  •  

  • sdmemory – SD card available memory
  •  

  • aliamemory – Phone available memory
  •  

Root is set to 1 as to signify with root, and these information are then sent to “http://search.gong[…].php.”

The malware obtains the commands from “http://search.gong[…].php” by posting in the “imei,” “managerid” and root value. It also reports the status of the commands on “http://search.gong[…].php” by posting in “imei,” “taskid,” “state” and “comment.”

Threat Solutions post by – Zimry

Source: Another Android malware utilizing a root exploit

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.