Another Android Malware Utilizing a Root Exploit

4ndr01d · June 7th, 2011, 10:10 AM

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found, and we detect it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

• execDelete — execute command to delete a supplied file
• execHomepage — execute a command to open a supplied homepage
• execInstall — download and install a supplied APK
• execOpenUrl — open a supplied URL
• execStartApp — run or start a supplied application package

Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:

• imei — IMEI number
• ostype — Build version release, e.g., 2.2
• osapi — SDK version
• mobile — users' mobile number
• mobilemodel — Phone model
• netoperator — Network Operator
• nettype — Type of Net Connectivity
• managerid — hard-coded value which is "sp033"
• sdmemory — SD card available memory
• aliamemory — Phone available memory

Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."

The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."

Threat Solutions post by — Zimry

Another Android Malware Utilizing a Root Exploit - F-Secure Weblog : News from the Lab

A.Nonymous · June 7th, 2011, 11:04 AM

I'm kind of a noob when it comes to these things. Is this a threat on non-rooted phones? Does it require a user to install the malicious program in the first place or can it install without user intervention? On rooted phones with the SU app installed, will this malware ask permissions from said app or does it circumvent that?

AndroidSPCS · June 7th, 2011, 11:09 AM

I suspect this is a risk only if you side-loap apps from an unfamiliar source. OP please correct me if I'm wrong.

jerofld · June 7th, 2011, 11:38 AM

The last batch of malicious apps were on the Market. They were copies of legit apps with slightly different names. I suspect that the current threat apps are also on the Market.

Just reinforces the safe practices everyone should use when getting apps from the Market. There is a thread on these forums (somewhere...) that lists, in great detail, how to stay safe from malware.

wayrad · June 7th, 2011, 11:39 AM

Quote:

Originally Posted by 4ndr01d

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found

What is the precise meaning of "found" in this context?

From the following link (caution: hilarious machine translation ahead) it looks like it's not in the Market: http://www.asbigo.com/android/android-droiddream-nightmare-continues/

AndroidSPCS · June 7th, 2011, 11:46 AM

FYI this was fixed by Google in Gingerbread. There is also a patch for pre-Gingerbread phones: [Patch]Malware Exploit for all pre-Gingerbread phones - xda-developers

Questkev · June 8th, 2011, 02:21 PM

My Lookout found the first batch of Droiddream. I have been running MyLookout since I saw the nifty droid commercial that said it was exclusive to the droid lol. It auto updates its list of infected apps, and other malware, and will scan my hone once a day, and any app that I download. I know a lot of people will say that a virus/spyware/malware program is useless on an android, but I would rather take that extra step. also it has the nifty locate, lock, and sound an alarm feature that alot of cellular insurace companies (mostly Asurion) has been adding for an extra fee, free to us (minus the lock and wipe feature, thats for premium)

A.Nonymous · June 8th, 2011, 02:52 PM

Lookout is generally worthless and they weren't the first ones to find Droid dream. Anti-virus programs on any mobile platform are basically scareware at this point.

Questkev · June 8th, 2011, 03:03 PM

I could have sworn every release about the Droid Dream scare a few months ago stated that the malware was brought to the proper attention by MyLookout, after one of thier employees discovered it and posted it on Reddit? I could be confused though...

I would rather have it and not need it, than need it and not have it. usually when you need an antispyware/malware/anti-virus its usually too late. Not to mention, with everybody having access to everything on thier phones now, and the need for a computer has gone down a little bit, whats to stop virus writers from converting from pc to say android or iOS formats?

A.Nonymous · June 8th, 2011, 04:04 PM

Quote:

Originally Posted by Questkev

I could have sworn every release about the Droid Dream scare a few months ago stated that the malware was brought to the proper attention by MyLookout, after one of thier employees discovered it and posted it on Reddit? I could be confused though...

I would rather have it and not need it, than need it and not have it. usually when you need an antispyware/malware/anti-virus its usually too late. Not to mention, with everybody having access to everything on thier phones now, and the need for a computer has gone down a little bit, whats to stop virus writers from converting from pc to say android or iOS formats?

Nothing TBH, but at the moment, it's not there. There are many reasons why not to have it - is merely a placebo, offers no protection, consumes resources, slows down the phone, etc.....

socrates0 · February 10th, 2012, 08:28 AM

Android malware gives itself root access

Connection to botnet and premium rate calls are next step

Quote:

A piece of Android malware has been discovered that steals money by giving itself root access then connecting to a botnet to make premium rate texts and calls.
The malware has been named RootSmart by the research team led by Xuxian Jiang, assistant professor of NC State University's department of computer science.

Android malware gives itself root access | News | TechRadar

A.Nonymous · February 10th, 2012, 08:34 AM

The only way you can get it is from side loading or from a Chinese marketplace, not the official market.

socrates0 · February 10th, 2012, 08:51 AM

Yes, as of now

Football Fans: Download the 2012 Schedule App from Google Play!