NEWS FROM THE LAB - Tuesday, October 25, 2011

DroidKungFu Utilizes an Update Attack Posted by ThreatSolutions @ 06:28 GMT

We did a quick post yesterday about a DroidKungfu sample that appeared to use a novel infection vector.

Now, as promised, more technical details.

DroidKungFu, Chinese market

The application we've been analyzing is called com.ps.keepaccount, and a quick check into its content reveals a couple of findings.

The original application (SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54) shows no trace of DroidKungFu at first glimpse.

DroidKungFu, Original install
Content and installation permission

Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware.

The series of screenshots below shows what happen during the update process:



Compared to the original version, the updated application requested for two additional permissions that would allow it to access SMS and MMS messages, and the device's location.

While a difference in permissions may not be the best way to identify whether an update is malicious, it is still a good practice to be aware and suspicious if an application update is requesting for different permissions.

More importantly, the updated application uses an exploit to gain root privilege, which would enable it to perform more potentially unwanted actions.

In the last screenshot, the application was shown to have stopped unexpectedly. It is probably due to an error as this variant of DroidKungFu is still using the exploit for Android OS version 2.2, and the tested phone is using Android OS version 2.3.

Below is the packet capture during the update process showing the source of the updated application:


A quick view into the contents of the updated application with SHA-1: 7cd1122966da7bc4adfabb28be6bfae24072c1c6.


The init.db file is actually a standalone copy of DroidKungFu; it is not actually a database file but an encrypted APK file that will be installed by the application when it gains root privilege.

To verify that this application is indeed DroidKungFu, let's take a look at the code:


The "WP" is the key for its decryption that is an ASCII representation, which when converted become "Deta_C1*T#RuOPrs".

Further verification reveals that this application is indeed a variant of DroidKungFu, and we have detected it since August 18, 2011 as Trojan:Android/DroidKungFu.C.

A quick check of detection coverage for the samples (both pre- and after update) with VirusTotal, showed the following results. The original application that updates self to DroidKungFu:


And, for the updated application:


Threat Solutions post by — Zimry, Irene and Yeh


Oct 25th Post Updates: This post was edited to correct details related to the screenshots; the first few paragraphs were reworked to clarify that this topic is related to yesterday's post, and to replace links to VirusTotal scan reports with screenshots.