Virus Profile: Android/DroidKungFu.A

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/6/2011
Date Added: 6/13/2011
Origin: N/A
Length: N/A
Type: Trojan
Subtype: PDA Device
DAT Required: N/A
Removal Instructions
   
 
 
   

Description

Android/DroidKungFu.A is a trojan that sends sensitive information to an attacker and includes backdoor functionality.  It also exploits vulnerabilities to gain root access..

Indication of Infection

  • Sends sensitive information

  • Exploits known vulnerabilities to gain root

  • Installs an Android application into system directory

  • Has backdoor functions


Methods of Infection

This malware requires that the user intentionally install it upon the device. As always, users should never install unknown or un-trusted software. This is especially true for illegal software, such as cracked applications - they are a favorite vector for malware infection.
   

Virus Characteristics

Android/DroidKungFu.A is a cracked version of a legitimate application.  It includes functionality to execute backdoor commands and exploits vulnerabilities in order to gain root access.  Installation of the trojan is shown in Fig 1.

DroidKungFu.A-1.jpg  DroidKungFu.A-2.jpg

Fig 1 - The permissions requested by Android/DroidKungFu.A.

When the infected device starts up, the malicious service "SearchService" will be activated.

DroidKungFu.A-3.jpg

Fig 2 - Running service "SSearchService"

Android/DroidKungFu.A repeatedly launches two Android native executables "assets/ratc" and "assets/gjsvro".  The exploits are stored in the APK file and are detected as Exploit/DiutesEx.B and Exploit/LVedu.B respectively.

If an exploit is successful, Android/DroidKungFu.A remounts /system  in order to copy a malicious APK into the "/system/app" directory. Otherwise, it shows dialog to explain that the exploit has failed.

DroidKungFu.A-4.jpg

Fig 3 - Dialog explaining that the exploit has failed.

Android/DroidKungFu.A performs the following backdoor functions in response to commands from an external server:

  • Delete file
  • Install APK
  • Uninstall APK
  • Launch Web browser with URL
  • Launch application

It also posts the IMEI and whether the trojan gained root access to the external server.

The malicious APK installed by the trojan will run as a service at device start up, even if Android/DroidKungFu.A is removed.

DroidKungFu.A-5.jpg

Fig 4 - Maliicous APK running in the /system/app directory

 

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95