June 6, 2011

Security Alert: New Malware Found in Alternative Android Markets: DroidKungFu

Looking for more information on mobile threats like Cleaned Out? Check out Lookout’s Top Threats resource.

A new Android malware named DroidKungFu by its discovering researchers has been detected in multiple alternative app stores and forums based in China and apparently targeted at Chinese Android users. (Lookout identifies this trojan as “Legacy.”)

The Threat

The malware encrypts two known root exploits, exploid and rageagainstthecage, to break out of the Android security container.  When it runs, it decrypts these exploits and then contacts a remote server without the user knowing.  DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version.  The root exploits used are the same used by the DroidDream malware, the first piece of malware found in the Android Market in March 2011.  Two of the package names are com.andhuhu.fengyinchuanshuo and com.nineiworks.wordsXGN.

The good news is that to date none of the apps containing the malware has been detected in the official Android Market.  As always, Lookout encourages you to download software only from known, reputable apps markets.  Lookout Free and Premium users are already protected against DroidKungFu/Legacy.

We are still in the preliminary stages of investigating this malware and will keep you updated as we learn more.

Who is affected?

All Android users who have downloaded the affected applications and are running versions of Android up to and including Android 2.2.1 are affected.  You can find the Android version your phone is running simply by navigating to Settings -> About Phone -> Software Information.

What should you do?

If you have not downloaded any applications from an unofficial app market or forum targeted at the Asian application market, your risk should be extremely low.  However, if you think you have downloaded an affected application, please contact us at support[at]lookout.com.

We will continue to monitor the situation and update you as more information becomes available.

One comment
  1. SKD says:

    Can you please write about the permissions that there malwares [that you have identified] are requesting?

Leave a comment