1. Download our Official Android App: Forums for Android!

Another Android Malware Utilizing a Root Exploit

Discussion in 'Android Lounge' started by 4ndr01d, Jun 7, 2011.

  1. 4ndr01d

    4ndr01d Newbie
    Thread Starter
    Rank:
    None
    Points:
    36
    Posts:
    27
    Joined:
    Jan 26, 2010

    Jan 26, 2010
    27
    1
    36
    Another Android malware utilizing the root exploit "Rage Against The Cage" has been found, and we detect it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

    Infection: Part 1

    The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

    [​IMG]

    [​IMG]

    This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

    [​IMG]

    Infection: Part 2

    The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

    Here is a screenshot showing the com.google.ssearch.apk installed.

    [​IMG]

    The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

     

    Advertisement

    cds0699 likes this.
  2. A.Nonymous

    A.Nonymous Extreme Android User
    Rank:
    None
    Points:
    213
    Posts:
    7,059
    Joined:
    Jun 7, 2010

    Jun 7, 2010
    7,059
    967
    213
    I'm kind of a noob when it comes to these things. Is this a threat on non-rooted phones? Does it require a user to install the malicious program in the first place or can it install without user intervention? On rooted phones with the SU app installed, will this malware ask permissions from said app or does it circumvent that?
     
  3. AndroidSPCS

    AndroidSPCS Android Expert
    Rank:
    None
    Points:
    183
    Posts:
    3,221
    Joined:
    Nov 12, 2009

    Nov 12, 2009
    3,221
    479
    183
    geek
    USA
    I suspect this is a risk only if you side-loap apps from an unfamiliar source. OP please correct me if I'm wrong.
     
  4. jerofld

    jerofld Fixing stuff is not easy
    Rank:
    None
    Points:
    313
    Posts:
    7,687
    Joined:
    May 10, 2011

    May 10, 2011
    7,687
    4,270
    313
    Male
    I fix stuff
    Over there <points>
    The last batch of malicious apps were on the Market. They were copies of legit apps with slightly different names. I suspect that the current threat apps are also on the Market.

    Just reinforces the safe practices everyone should use when getting apps from the Market. There is a thread on these forums (somewhere...) that lists, in great detail, how to stay safe from malware.
     
  5. wayrad

    wayrad Android Expert
    Rank:
    None
    Points:
    163
    Posts:
    1,177
    Joined:
    May 12, 2010

    May 12, 2010
    1,177
    149
    163
    Female
    Long Island
    What is the precise meaning of "found" in this context?

    From the following link (caution: hilarious machine translation ahead) it looks like it's not in the Market: http://www.asbigo.com/android/android-droiddream-nightmare-continues/
     
  6. AndroidSPCS

    AndroidSPCS Android Expert
    Rank:
    None
    Points:
    183
    Posts:
    3,221
    Joined:
    Nov 12, 2009

    Nov 12, 2009
    3,221
    479
    183
    geek
    USA
    ardchoille likes this.
  7. Questkev

    Questkev Newbie
    Rank:
    None
    Points:
    36
    Posts:
    28
    Joined:
    Mar 24, 2011

    Mar 24, 2011
    28
    4
    36
    My Lookout found the first batch of Droiddream. I have been running MyLookout since I saw the nifty droid commercial that said it was exclusive to the droid lol. It auto updates its list of infected apps, and other malware, and will scan my hone once a day, and any app that I download. I know a lot of people will say that a virus/spyware/malware program is useless on an android, but I would rather take that extra step. also it has the nifty locate, lock, and sound an alarm feature that alot of cellular insurace companies (mostly Asurion) has been adding for an extra fee, free to us (minus the lock and wipe feature, thats for premium)
     
  8. A.Nonymous

    A.Nonymous Extreme Android User
    Rank:
    None
    Points:
    213
    Posts:
    7,059
    Joined:
    Jun 7, 2010

    Jun 7, 2010
    7,059
    967
    213
    Lookout is generally worthless and they weren't the first ones to find Droid dream. Anti-virus programs on any mobile platform are basically scareware at this point.
     
  9. Questkev

    Questkev Newbie
    Rank:
    None
    Points:
    36
    Posts:
    28
    Joined:
    Mar 24, 2011

    Mar 24, 2011
    28
    4
    36
    I could have sworn every release about the Droid Dream scare a few months ago stated that the malware was brought to the proper attention by MyLookout, after one of thier employees discovered it and posted it on Reddit? I could be confused though...

    I would rather have it and not need it, than need it and not have it. usually when you need an antispyware/malware/anti-virus its usually too late. Not to mention, with everybody having access to everything on thier phones now, and the need for a computer has gone down a little bit, whats to stop virus writers from converting from pc to say android or iOS formats?
     
  10. A.Nonymous

    A.Nonymous Extreme Android User
    Rank:
    None
    Points:
    213
    Posts:
    7,059
    Joined:
    Jun 7, 2010

    Jun 7, 2010
    7,059
    967
    213
    Nothing TBH, but at the moment, it's not there. There are many reasons why not to have it - is merely a placebo, offers no protection, consumes resources, slows down the phone, etc.....
     
  11. socrates0

    socrates0 Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    418
    Joined:
    May 12, 2011

    Android malware gives itself root access

    Connection to botnet and premium rate calls are next step
    Android malware gives itself root access | News | TechRadar
     
  12. A.Nonymous

    A.Nonymous Extreme Android User
    Rank:
    None
    Points:
    213
    Posts:
    7,059
    Joined:
    Jun 7, 2010

    Jun 7, 2010
    7,059
    967
    213
    The only way you can get it is from side loading or from a Chinese marketplace, not the official market.
     
    Crashdamage likes this.
  13. socrates0

    socrates0 Android Enthusiast
    Rank:
    None
    Points:
    53
    Posts:
    418
    Joined:
    May 12, 2011

    Yes, as of now :)
     

Share This Page

Loading...