Another Android malware utilizing the root exploit "Rage Against The Cage" has been found, and we detect it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:
Infection: Part 1
The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.
This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).
Infection: Part 2
The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.
Here is a screenshot showing the com.google.ssearch.apk installed.
The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:
Infection: Part 1
The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.
This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).
Infection: Part 2
The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.
Here is a screenshot showing the com.google.ssearch.apk installed.
The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen: