Another Android malware utilizing the root exploit "Rage Against The Cage" has been found. We were able to find a sample ourselves, and we now detect it as Trojan:Android/DroidKungFu.A.
This new malware was embedded on a trojanized application that may require a root access in order to conceal itself. The infection occurs in two parts:
Infection: Part 1
The first part is the installation of a trojanized application that would gain root privilege and install the com.google.ssearch application. This application points to the Trojan:Android/DroidKungFu.A's service component that will start a service com.google.ssearch.Receiver. On the creation of this service, it will call the function getPermission() that will install an embedded APK.
This will call for checkPermission() that will check if com.google.ssearch.apk already exists. If not, it will install the "legacy" file, which is an APK file, to the "system/app" (the application folder).
Infection: Part 2
The second part deals with the main malware component, com.google.ssearch.apk. As we may recall, this component was also present in the trojanized application.
Here is a screenshot showing the com.google.ssearch.apk installed.
The malware appears to have a backdoor functionality. Here are some of its capabilities that we have seen:
• execDelete — execute command to delete a supplied file • execHomepage — execute a command to open a supplied homepage • execInstall — download and install a supplied APK • execOpenUrl — open a supplied URL • execStartApp — run or start a supplied application package
Trojan:Android/DroidKungFu.A can also obtain the following information and post it to a remote server:
• imei — IMEI number • ostype — Build version release, e.g., 2.2 • osapi — SDK version • mobile — users' mobile number • mobilemodel — Phone model • netoperator — Network Operator • nettype — Type of Net Connectivity • managerid — hard-coded value which is "sp033" • sdmemory — SD card available memory • aliamemory — Phone available memory
Root is set to 1 as to signify with root, and these information are then sent to "http://search.gong[...].php."
The malware obtains the commands from "http://search.gong[...].php" by posting in the "imei," "managerid" and root value. It also reports the status of the commands on "http://search.gong[...].php" by posting in "imei," "taskid," "state" and "comment."
Threat Solutions post by — Zimry
Updated to clarify: The original discovery of the trojan was by a research team at North Carolina State University. We were able to independently find a sample for our own analysis.