Another Android Malware Utilizing a Root Exploit

[4ndr01d]

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found, and we detect it as Trojan:Android/DroidKungFu.A. This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:

Infection: Part 1

The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.

This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).

Infection: Part 2

The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.

Here is a screenshot showing the com.google.ssearch.apk installed.

The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:

 

[A.Nonymous]

I'm kind of a noob when it comes to these things. Is this a threat on non-rooted phones? Does it require a user to install the malicious program in the first place or can it install without user intervention? On rooted phones with the SU app installed, will this malware ask permissions from said app or does it circumvent that?

 

[AndroidSPCS]

I suspect this is a risk only if you side-loap apps from an unfamiliar source. OP please correct me if I'm wrong.

 

[jerofld]

The last batch of malicious apps were on the Market. They were copies of legit apps with slightly different names. I suspect that the current threat apps are also on the Market.

Just reinforces the safe practices everyone should use when getting apps from the Market. There is a thread on these forums (somewhere...) that lists, in great detail, how to stay safe from malware.

 

[wayrad]

Another Android malware utilizing the root exploit "Rage Against The Cage" has been found

What is the precise meaning of "found" in this context?

From the following link (caution: hilarious machine translation ahead) it looks like it's not in the Market: http://www.asbigo.com/android/android-droiddream-nightmare-continues/

 

[AndroidSPCS]

FYI this was fixed by Google in Gingerbread. There is also a patch for pre-Gingerbread phones: [Patch]Malware Exploit for all pre-Gingerbread phones - xda-developers

 

[Questkev]

My Lookout found the first batch of Droiddream. I have been running MyLookout since I saw the nifty droid commercial that said it was exclusive to the droid lol. It auto updates its list of infected apps, and other malware, and will scan my hone once a day, and any app that I download. I know a lot of people will say that a virus/spyware/malware program is useless on an android, but I would rather take that extra step. also it has the nifty locate, lock, and sound an alarm feature that alot of cellular insurace companies (mostly Asurion) has been adding for an extra fee, free to us (minus the lock and wipe feature, thats for premium)

 

[A.Nonymous]

Lookout is generally worthless and they weren't the first ones to find Droid dream. Anti-virus programs on any mobile platform are basically scareware at this point.

 

[Questkev]

I could have sworn every release about the Droid Dream scare a few months ago stated that the malware was brought to the proper attention by MyLookout, after one of thier employees discovered it and posted it on Reddit? I could be confused though...

I would rather have it and not need it, than need it and not have it. usually when you need an antispyware/malware/anti-virus its usually too late. Not to mention, with everybody having access to everything on thier phones now, and the need for a computer has gone down a little bit, whats to stop virus writers from converting from pc to say android or iOS formats?

 

[A.Nonymous]

I could have sworn every release about the Droid Dream scare a few months ago stated that the malware was brought to the proper attention by MyLookout, after one of thier employees discovered it and posted it on Reddit? I could be confused though...

I would rather have it and not need it, than need it and not have it. usually when you need an antispyware/malware/anti-virus its usually too late. Not to mention, with everybody having access to everything on thier phones now, and the need for a computer has gone down a little bit, whats to stop virus writers from converting from pc to say android or iOS formats?

Nothing TBH, but at the moment, it's not there. There are many reasons why not to have it - is merely a placebo, offers no protection, consumes resources, slows down the phone, etc.....

 

[socrates0]

Android malware gives itself root access

Connection to botnet and premium rate calls are next step

A piece of Android malware has been discovered that steals money by giving itself root access then connecting to a botnet to make premium rate texts and calls.
The malware has been named RootSmart by the research team led by Xuxian Jiang, assistant professor of NC State University's department of computer science.

Android malware gives itself root access | News | TechRadar

 

[A.Nonymous]

The only way you can get it is from side loading or from a Chinese marketplace, not the official market.

 

[socrates0]

Yes, as of now