NEWS FROM THE LAB - Monday, October 24, 2011

These Aren't the Droid Updates You're Looking For Posted by Sean @ 19:16 GMT

Our Threat Solutions team discovered an interesting threat using a novel "infection vector" for Android today.

Back in July, they analyzed Spyware:Android/SndApps, which, after an update, is able access various bits of personal information. Before the update, it only requests the "Internet" permission. It seems probable to us that users are less likely to carefully review permissions for an update of an application that is already installed on their smartphone.

So with this permission escalation via an update method in mind, the team has been monitoring for malicious applications attempting the same trick. And today… they found one.

Analysis is currently underway.

What we can currently tell you is that the original application (downloaded from a third-party market) is free of malicious code. Once installed, the application immediately informs the users that an update is available — and that "update" — installs a variant of Trojan:Android/DroidKungFu.

There's still some question as to whether the original application developer actually intends for their application to be a used as a DroidKungFu downloader. Possibly, the developer's back end has been compromised.

We detect the applications as Trojan-Downloader:Android/DroidKungFu.E and Trojan:Android/DroidKungFu.C.

SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54

We'll have additional technical details and screenshots on this "update attack" in a subsequent post.