Android/DroidKungFu.A is a cracked version of a legitimate application. It includes functionality to execute backdoor commands and exploits vulnerabilities in order to gain root access. Installation of the trojan is shown in Fig 1.
Fig 1 - The permissions requested by Android/DroidKungFu.A.
When the infected device starts up, the malicious service "SearchService" will be activated.
Fig 2 - Running service "SSearchService"
Android/DroidKungFu.A repeatedly launches two Android native executables "assets/ratc" and "assets/gjsvro". The exploits are stored in the APK file and are detected as Exploit/DiutesEx.B and Exploit/LVedu.B respectively.
If an exploit is successful, Android/DroidKungFu.A remounts /system in order to copy a malicious APK into the "/system/app" directory. Otherwise, it shows dialog to explain that the exploit has failed.
Fig 3 - Dialog explaining that the exploit has failed.
Android/DroidKungFu.A performs the following backdoor functions in response to commands from an external server:
- Delete file
- Install APK
- Uninstall APK
- Launch Web browser with URL
- Launch application
It also posts the IMEI and whether the trojan gained root access to the external server.
The malicious APK installed by the trojan will run as a service at device start up, even if Android/DroidKungFu.A is removed.
Fig 4 - Maliicous APK running in the /system/app directory