- Threat Encyclopedia
- Malware
- ANDROIDOS_DROIDKUNGFU.B
Backdoor.AndroidOS.KungFu.b (Kaspersky); Andr/KongFu-A (Sophos)
Information Stealer, Click Fraud, Malicious Downloader, Rooting Tool
Android OS
This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."
It uses its root privilege to install a malicious package named LEGACY found in its assets folder. This is installed on the system folder as a specific file. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.
It has a service called SearchService, which is responsible for all its backdoor routines.
It then posts the gathered information to specific URLs.
It also sends a malware specific string to a specific number, which is probably its version number.
It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.
It connects to specific URLs to send and receive commands from a remote user.
247,940 bytes
DEX
No
06 Jun 2011
Connects to URLs/IPs
Arrival Details
This malware arrives via the following means:
NOTES:
This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."
It uses its root privilege to install a malicious package named LEGACY found in its assets folder. This is installed on the system folder as /system/app/com.google.ssearch.apk. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.
It has a service called SearchService, which is responsible for all its backdoor routines.
It gathers the following data:It then posts the gathered information to the following URL:
It also sends a malware specific string, sp01, which is probably its version number.
It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.
The following is the list of its backdoor routines:
The said commands are obtained from the following URL:
It reports the result (if it fails to complete the command or not) on the following URL:
8.900
1.105.00
13 Jun 2011
NOTES:
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.
Download and install the Trend Micro Mobile Security App via the Android Market.
Remove unwanted apps on your Android mobile device
To remove unwanted apps on your mobile device: