ANDROIDOS_GONFU.A

 Analysis by: markb

 THREAT SUBTYPE:

Rooting Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using a certain decryption key.

It uses its root privilege to install a malicious package named, LEGACY found in its assets folder. This is installed on the system folder. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.

It has a service called, SearchService, which is responsible for all its backdoor routines.

It gathers mobile-specific data.

It then posts the gathered information to a certain URL.

  TECHNICAL DETAILS

File Size:

Varies

Memory Resident:

Yes

Initial Samples Received Date:

09 Jun 2011

Payload:

Steals information, Compromises system security

Arrival Details

This malware arrives via the following means:

  • via Trojanized Android applications.

NOTES:

This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."

It uses its root privilege to install a malicious package named, LEGACY found in its assets folder. This is installed on the system folder as /system/app/com.google.ssearch.apk. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.

It has a service called, SearchService, which is responsible for all its backdoor routines.

It gathers the following data:

  • IMEI
  • OS release version
  • SDK version
  • Mobile number
  • Model of the phone
  • network operator
  • type of connection (i.e. WIFI, MOBILE)
  • Available system memory
  • SDCARD free space

It then posts the gathered information to the following URL:

  • http://{BLOCKED}h.gongfu-android.com:8511/search/sayhi.php

It also sends a malware specific string, sp051, which is probably its version number.

It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.

The following are the list of its backdoor routines:

  • execHomepage - a placeholder that currently does not contain codes
  • execInstall - downloads and installs a package
  • execStartApp - runs a package
  • execDelete - uninstalls a package
  • execOpenUrl - opens a URL

The said commands are obtained from the following URL:

  • http://{BLOCKED}h.gongfu-android.com:8511/search/getty.php

It reports the result (if it fails to complete the command or not) on the following URL:

  • http://{BLOCKED}h.gongfu-android.com:8511/search/rpty.php

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.105.00

TMMS Pattern Date:

13 Jun 2011

NOTES:

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via the Android Market.

Remove unwanted apps on your Android mobile device

To remove unwanted apps on your mobile device:

  1. Go to Settings > Applications > Manage Applications.
  2. Locate the app to be removed.
  3. Scroll and highlight the app to be removed, then choose Uninstall.


Did this description help? Tell us how we did.