This application requires Javascript for optimal performance.

Android/DroidKungFu.E!tr - Released Oct 25, 2011

Alias/es

Android/LeNa.A!tr

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Abnormally high bill due to connecting to Internet.
Additional (malicious) packages are installed without the owner's consent.

Detailed Analysis

Android/DroidKungFu.E!tr is a malware for Android mobile phones. It poses as a VPN client application, but in background downloads further malware from a remote web server.
To silently install other malware, it lures the victim into rooting the phone. The "VPN client" says it needs the device to be rooted to perform its tasks, but rooting the device actually enables it to silently download and install other packages.

Figure 1. Malware requests root permission from user
Figure 2. Main screen of the malware. Explains how to root your device



Technical Details


First, the malware tests if the device is already infected or not. The malware considers the device is infected if file /system/etc/.dhcpd exists and has the exact size of 18316 bytes (see checkPrecondition() method in VpnSettings class).
Then, it mounts the /system directory in read-write mode (checkFile() method): 
/system/bin/mount -o remount, rw /dev/block/mtdblock0 /system
If the device is not infected yet (i.e /system/etc/.dhcpd does not exist or does not have the expected size), the malware proceeds to device infection:
  • creates a configuration file, mycfg.ini, which contains the device's IMEI, its brand (Build.BRAND), model (Build.MODEL), release (Build.VERSION.RELEASE) and SDK version (Build.VERSION.SDK) and a constant "cvpn072". This configuration file is located in the package's private directory.
    This configuration file is later copied to system directories: 
    /system/bin/cat /package_dir/mycfg.ini > /system/etc/.rild_cfg
  • decrypt an ELF binary and write it to the package's directory as WebView.db. The encrypted binary is located in the package's assets and named WebView.db.init. It is AES encrypted, using a hard coded key.
    The decrypted binary is then copied to system directories: 
    /system/bin/cat PACKAGEDIR/WebView.db > /system/etc/.dhcpd
/system/bin/cat PACKAGEDIR/WebView.db > /system/xbin/ccb
chmod 4755 /system/xbin/ccb
  • the decrypted binary is executed: 
    /system/xbin/ccb
    This executable ensures it is run as root, makes sure the device is correctly infected, and then contacts a remote web server to whom it sends the contents of the configuration file using a custom user agent (adlib/3).
    It downloads another package from the remote web server and installs it: 
    /system/bin/pm install -r
    Then, it automatically starts the new package (launching the activity): 
    /system/bin/am start -n
    It is also able to uninstall packages.
  • the temporary files of the package directory, WebView.db and mycfg.ini, are deleted

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 3242960