June 6, 2011

Security Alert: New Malware Found in Alternative Android Markets: DroidKungFu

Looking for more information on mobile threats like Cleaned Out? Check out Lookout’s Top Threats resource.

A new Android malware named DroidKungFu by its discovering researchers has been detected in multiple alternative app stores and forums based in China and apparently targeted at Chinese Android users. (Lookout identifies this trojan as “Legacy.”)

The Threat

The malware encrypts two known root exploits, exploid and rageagainstthecage, to break out of the Android security container.  When it runs, it decrypts these exploits and then contacts a remote server without the user knowing.  DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version.  The root exploits used are the same used by the DroidDream malware, the first piece of malware found in the Android Market in March 2011.  Two of the package names are com.andhuhu.fengyinchuanshuo and com.nineiworks.wordsXGN.

The good news is that to date none of the apps containing the malware has been detected in the official Android Market.  As always, Lookout encourages you to download software only from known, reputable apps markets.  Lookout Free and Premium users are already protected against DroidKungFu/Legacy.

We are still in the preliminary stages of investigating this malware and will keep you updated as we learn more.

Who is affected?

All Android users who have downloaded the affected applications and are running versions of Android up to and including Android 2.2.1 are affected.  You can find the Android version your phone is running simply by navigating to Settings -> About Phone -> Software Information.

What should you do?

If you have not downloaded any applications from an unofficial app market or forum targeted at the Asian application market, your risk should be extremely low.  However, if you think you have downloaded an affected application, please contact us at support[at]lookout.com.

We will continue to monitor the situation and update you as more information becomes available.

7 comments
  1. [...] circulating Chinese application markets before YZHCSMS made its way to the Android Market. “DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version,” [...]

  2. [...] circulating Chinese application markets before YZHCSMS made its way to the Android Market. “DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version,” [...]

  3. [...] circulating Chinese application markets before YZHCSMS made its way to the Android Market. “DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version,” [...]

  4. [...] Malware writers have become increasingly creative with the tactics they use to get users to download malware. In addition to uploading malicious apps to the Android Market or alternative markets, we have also started to see threats we’ve classified as “Malvertising” and “Update Attacks.” Malvertising or “malicious advertising” involves an attacker buying mobile ads that direct users to a malicious website that triggers malware to download automatically. GGTracker was the first mobile malware we’ve encountered to use this tactic. In an Update Attack, an attacker first publishes a legitimate application with no malware to an application market. Once they have a large user base, the attacker then releases an update to the app that includes malware so the entire user base gets the updated infected application very quickly. We first saw this being used in the wild by the creators of Legacy (aka DroidKungFu). [...]

  5. [...] In a refurbish attack, a assailant publishes a legitimate app to an application market and afterwards releases an refurbish to a app that includes malware so the entire user bottom gets infected. The Legacy malware used this conflict on users. [...]

  6. [...] the past, malware including jSMSHider, Legacy/DroidKungFu, zHash and DroidDream exploited known vulnerabilities to gain privileges on the device that they [...]

  7. [...] Lookout identified a new Android Trojan, LeNa, which is an evolution of the Legacy variant discovered earlier this year (also known as DroidKungFu). Previous Legacy variants were spotted [...]

Leave a comment