This application requires Javascript for optimal performance.

Android/DroidKungFu.B!tr - Released Jul 04, 2011 - Last Updated Jul 08, 2011

Alias/es

DroidKungFu2

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Abnormally high bill due to connection to Internet.

Detailed Analysis

Android/DroidKungFu.B!tr is a variant of Android/DroidKungFu.A!tr.
It basically has the same malicious payload, but assumes the phones is already rooted and hence does not embed exploits to root it. Furthermore, this variant embeds part of its malicious payload in native executable code, so as to make reverse engineering more difficult.



Technical Details



Basically, the malicious native part consists of two files: an executable named /system/xbin/ccd and a configuration file named /system/etc/.rild_cfg (deceptive names in both cases). So, first, the malware must drop those two files in the /system/etc directory, which isn’t normally accessible to applications. To do so, it uses a well-known technique to root the device: it re-mounts the /system partition in read-write mode. Then, it simply copies the files from the package’s assets using either the Unix cp command or cat, as root. It also copies other non-malicious files such as busybox (embedded device’s swiss knife !).
Then, the malware launches the native executable. Its reverse engineering is more difficult (which is why the malware authors did it that way…), but this is what we worked out.


The malware is able to communicate with a remote web server, from which it downloads a new malicious package to install. The URL of the remote web server is read from the configuration file (.rild_cfg). The malware appends some information to that URL, such as the phone’s IMEI, a taskid, a state and a comment. Then, it sends an HTTP GET request, using the appropriate http proxy and port if necessary. The HTTP response (malicious APK) is marked as executable and owned by root. Exactly, the native code re-mounts the system partition read-write (to be able to operate in /system directories: mount -t yaffs2 -o rw /dev/block/mtdblock6 /system), changes the file’s attribute as non-immutable (chattr -i), sets executable permissions (chmod 755), changes ownership (chmod 0), and re-mounts as read-only.
The malware also performs a few other tasks that we haven’t been able to put together yet. Notably, it checks the PID of its parent and either forks the process or checks whether /system/etc/.dhcpd exists, and if so, makes sure to kill (kill -9) /system/bin/dhcpd (DHCP daemon) and /system/bin/installd (Android’s package installer daemon).
We also noticed it embeds the commands to install or uninstall a package (/system/bin/pm install -r, /system/bin/pm uninstall), or even start an activity (/system/bin/am start). We assume it is installing the package it downloaded from the remote server (and perhaps uninstalling the previous version) but we haven’t found the exact code that does it.
In short, the native code:
  • contacts remote web servers
  • downloads and installs malicious packages
  • kills the DHCP and installd daemon of the phone
It contacts the following remote URLs: 
http://[REMOVED]gfu-android.com:8511/search/
http://[REMOVED]18.com:8511/search/
http://[REMOVED]169.com:8511/search/

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 2853143