Android/DroidKungFu.A!tr
Analysis
Android/DroidKungFu.A!tr targets mobile phones running Android 2.0 or greater. The infected phone is controlled by a remote server from which it may receive and process a few commands such as:
- execDelete: uninstall a given package
- execInstall: download a given package and install it
- execOpenUrl: open a given URL in the phone's browser
- execStartApp: start a given application
This malware has been reported on unofficial Android markets.
Technical Details
The malicious classes are located in the application, under a path named com.google.ssearch (note the double s to search).
Firstly, the malware tries to root the phone, i.e gain root access to the device. To do so, it uses public exploits:
- CVE-2009-1185 uDev, an exploit which uses hotplug to execute a shell as root
- CVE-2010-EASY rageagainstthecage, another exploit which gains root access by creating a maximul limit of user processes.
Recent Android devices (2.3 or greater) have been patched against those vulnerabilities, but there are still numerous mobile phones in the wild without the patch.
The binaries of the exploits (ratc and gjsvro) are packed with the malware in the asset directory, encrypted by AES with a hard-coded key. The exploit binaries are decrypted and copied on the system. The malware makes sure the binaries are executable (chmod 4755), and then executes them, hoping to gain root access.
The malware reports phone's system data to a remote web server
http://[REMOVED]id.com:8511/search/rpty.phpIn particular, it sends an HTTP POST with the victim's IMEI, taskid, state and comment.
The malware installs another package. com.google.ssearch.SearchService, and starts the service.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |