Mobile VirusRiskware/KingRoot!Android
Analysis
Riskware/KingRoot!Android is a riskware which targets Android mobile devices.
It helps the end-user root his/her device, using known exploits (gingerbreak, rage against
the cage etc), which may pose a security issue.
Technical Details
The malicious application is typically named ?? ROOT.
It comes packaged as com.kingroot.RushRoot.
To root the device,
- it mounts the system partition read-write
- copies su to /system/bin
- installs superuser.apk
- loads its own native library, libkingroot-jni.so, to handle the creation of subprocesses, decode the URL below (base 64 encoded) and perform md5 or sha1 hashes.
- posts (HTTP) to:
http://[CENSORED]t.gotoip1.com/data_record.php
where parameters posted include the phone's model, release version and IMEI. Although it is not recommended to post an IMEI to a remote server, this is common and we do not detect the sample as malicious for this action. - runs rooting exploits such as CVE-2010-EASY and gingerbreak
- finally uninstalls itself (removing packages com.noshufou.android.su or com.kingroot.RootManager)
res/anim/scan.xml res/drawable/alert.png res/drawable/finishroot_button_selector.xml res/drawable/oneroot_button_selector.xml res/drawable/perm_button_selector.xml res/drawable/progressbar_style.xml res/drawable/success_finishroot_button_selector.xml res/drawable/temp_button_selector.xml res/drawable/wait.xml res/layout/item_root_procedure.xml res/layout/layout_progressbar.xml res/layout/root_failed.xml res/layout/root_perm_successed.xml res/layout/root_prepare.xml res/layout/root_ready.xml res/layout/root_running.xml res/layout/root_temp_successed.xml res/raw/busybox res/raw/gingerbreak res/raw/gotroot res/raw/installroot res/raw/rageagainstthecage res/raw/su res/raw/superuser.apk AndroidManifest.xml resources.arsc res/drawable-hdpi/android_machine.png res/drawable-hdpi/background.9.png res/drawable-hdpi/bg_error.jpg res/drawable-hdpi/bg_prem.jpg res/drawable-hdpi/bg_temp.jpg res/drawable-hdpi/bigfailure.png res/drawable-hdpi/button_error_default.9.png res/drawable-hdpi/button_error_press.9.png res/drawable-hdpi/button_prem.9.png res/drawable-hdpi/button_prem_default.9.png res/drawable-hdpi/button_prem_press.9.png res/drawable-hdpi/button_temp_default.9.png res/drawable-hdpi/button_temp_press.9.png res/drawable-hdpi/checkone.png res/drawable-hdpi/checktwo.png res/drawable-hdpi/finishroot.png res/drawable-hdpi/finishroot_press.png res/drawable-hdpi/ic_launcher.png res/drawable-hdpi/insignia.png res/drawable-hdpi/list_icon_security.png res/drawable-hdpi/loading.png res/drawable-hdpi/oneroot.png res/drawable-hdpi/oneroot_press.png res/drawable-hdpi/progress_bg.9.png res/drawable-hdpi/progress_secondary_bg.9.png res/drawable-hdpi/progress_top.9.png res/drawable-hdpi/rootsuccess.png res/drawable-hdpi/rootting_icon.png res/drawable-hdpi/scan_01.png res/drawable-hdpi/scan_02.png res/drawable-hdpi/scan_03.png res/drawable-hdpi/scan_04.png res/drawable-hdpi/scan_05.png res/drawable-hdpi/scan_06.png res/drawable-hdpi/scan_07.png res/drawable-hdpi/scan_08.png res/drawable-hdpi/scan_09.png res/drawable-hdpi/scan_10.png res/drawable-hdpi/scan_11.png res/drawable-hdpi/scan_12.png res/drawable-hdpi/scan_13.png res/drawable-hdpi/scan_14.png res/drawable-hdpi/scan_15.png res/drawable-hdpi/scan_16.png res/drawable-hdpi/scan_17.png res/drawable-hdpi/scan_18.png res/drawable-hdpi/scan_19.png res/drawable-hdpi/smartfailure.png res/drawable-hdpi/temproot.png res/drawable-hdpi/testroot.png res/drawable-hdpi/testroot_press.png res/drawable-hdpi/tips_bg_error.9.png res/drawable-hdpi/tips_bg_prem.9.png res/drawable-hdpi/tips_bg_temp.9.png res/drawable-hdpi/tips_icon_error.png res/drawable-hdpi/tips_icon_prem.png res/drawable-hdpi/tips_icon_temp.png res/drawable-hdpi/title_error.png res/drawable-hdpi/title_prem.png res/drawable-hdpi/title_temp.png res/drawable-hdpi/uninstallroot.png res/drawable-hdpi/uninstallroot_press.png classes.dex lib/armeabi/libkingroot-jni.so META-INF/MANIFEST.MF META-INF/CERT.SF META-INF/CERT.RSA
Permissions required by the riskware:
- READ_LOGS
- CHANGE_WIFI_STATE
- INTERNET
Owner : CN=kingroot OU=kingroot??? O=kingroot??? L=Beijing ST=Beijing C=CN
Serial number: 4f17825d
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-01-19 | 90.09794 |