Our Threat Solutions team discovered an interesting threat using a novel "infection vector" for Android today.
Back in July, they analyzed Spyware:Android/SndApps, which, after an update, is able access various bits of personal information. Before the update, it only requests the "Internet" permission. It seems probable to us that users are less likely to carefully review permissions for an update of an application that is already installed on their smartphone.
So with this permission escalation via an update method in mind, the team has been monitoring for malicious applications attempting the same trick. And today… they found one.
Analysis is currently underway.
What we can currently tell you is that the original application (downloaded from a third-party market) is free of malicious code. Once installed, the application immediately informs the users that an update is available — and that "update" — installs a variant of Trojan:Android/DroidKungFu.
There's still some question as to whether the original application developer actually intends for their application to be a used as a DroidKungFu downloader. Possibly, the developer's back end has been compromised.
We detect the applications as Trojan-Downloader:Android/DroidKungFu.E and Trojan:Android/DroidKungFu.C.
We'll have additional technical details and screenshots on this "update attack" in a subsequent post.