This application requires Javascript for optimal performance.

Riskware/DroidDeluxe!Android - Released Sep 08, 2011 - Last Updated Sep 12, 2011

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

An application named "Recovery Deluxe" is present on the phone.

Detailed Analysis

Riskware/DroidDeluxe!Android is a rooting tool for Android mobile phones. Once launched, it executes an exploit which affects Android phones prior to version 2.3. This exploit is meant to root the phone, the application can then subsequently make accessible to all users a few system databases on the phone such as email settings and Google account.
This application does not show any other malicious behaviour. For instance, it does not send the passwords externally, does not launch a backdor server on the device, does not ruin the phone's databases or else.
Thus, it is a borderline application, which we however detect as a Riskware for two reasons:
  1. It uses an EXPLOIT to get its work done, which is extremely bad practice.
  2. Once rooted, the phone's security is weakened. Another malware might use this weakened state to abuse the victim.



Technical Details


Riskware/DroidDeluxe!Android installs as a regular application on the phone. The application launches only when the end-user presses its icon (see Figure 1).

Figure 1. Icon for Riskware/DroidDeluxe
Figure 2. Splash screen for Riskware/DroidDeluxe
Then, the application tests whether it has write access to the email database. If not, it decides that the device needs to be rooted.
It copies 3 raw resources onto the device and makes them accessible (chmod 777):
  • busybox (embedded swiss knife tool)
  • password: CVE-2010-EASY exploit
  • special: simple executable responsible to:
    • print the current effective UID (EUID) and UID
    • set EUID and UID to 0 - which corresponds to the root account
    • set all permissions (chmod 0777) for various databases: 
      /data/system/accounts.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.providers.contacts/databases/contacts2.db
/data/data/com.android.providers.settings/databases/settings.db
/data/data/com.android.providers.telephony/databases/mmssms.db
/dbdata/databases/com.android.email/EmailProvider.db
/dbdata/databases/com.android.providers.contacts/contacts2.db
/dbdata/databases/com.android.providers.settings/settings.db
/dbdata/databases/com.android.providers.telephony/mmssms.db
Then, the application is able to search those databases for particular information such as account passwords. The information the application "recovers" is displayed to the user in a list:
  • Email credentials: taken from columns address, login and password of table HostAuth in database EmailProvider.db
  • Google account credentials: taken from columns name, password and type of table accounts in database accounts.db
The application also uses an internal settings file in
/data/data/com.pocketluxus.recovery/shared_prefs/settings.xml
This file keeps track of the current status of the application (whether the application is being rooted or not).
Besides, the application sends some non-sensitive data (such as device brand, display, manufacturer, model, application version) via Google Analytics.
The application also offers the capability of contacting the authors by email. The subject of the email will be "Recovery Deluxe". The email is sent to [CENSORED]xus@gmail.com. The email does not include any particular information.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 3081835