Android/DroidKungFu: attacking from a mobile device?
| June 16, 2011
| Category: Security Research
The Android malware DroidKungFu reports back to the following URLs:
http://[REMOVED]fu-android.com:8511/search/rpty.php
http://[REMOVED]fu-android.com:8511/search/getty.php
http://[REMOVED]fu-android.com:8511/search/sayhi.phpA whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection…) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather surprising since, usually, attacks on mobile phones (especially command & control servers) are conducted from a host on the Internet.
$ whois [REMOVED]6.37.93
...
inetnum: [REMOVED]4.0.0 - [REMOVED].255.255
netname: [REMOVED]NET-JS
descr: [REMOVED]NET jiangsu province network
descr: [REMOVED - Belongs to a Chinese operator] Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-[REMOVED]NET-JS
mnt-routes: MAINT-[REMOVED]NET-JS
...
status: ALLOCATED PORTABLE
source: APNICWe tried to fingerprint the operating system of the host at that IP address:
curl -F 'imei=12345899;managerid=yutian07' -A 'Mozilla/5.0 (Linux; U;
Android 2.1-update1; en-us; ADR6300 Build/ERE27)
AppleWebKit/530.17 (KHTML, like Gecko)
Version/4.0 Mobile Safari/530.17'
http://[REMOVED]fu-android.com:8511/search/sayhi.php
OKWe can try a few other combinations, but they don’t tell much more about the OS it’s running on.
Let’s try a telnet:
So, it’s (likely) an Apache 2.2.3 on a CentOS. Another telnet on Port 22 tells us there’s an SSH 4.3 server too:
telnet [REMOVED]fu-android.com 22
Trying [REMOVED]7.93...
Connected to [REMOVED]fu-android.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3It is technically possible to run a web server and an SSH server on an Android phone, but they would probably offer poor performance. I would rather go for an Android tablet or a computer with a 2G/3G connection. Any other assumption or comment on the motivation behind this Android malware?
Android/DroidKungFu was discovered by Pr. Xuxian Jiang and his team. Thanks for sharing samples.
– the Crypto Girl
Axelle Apvrille
| June 16, 2011
| Category: Security Research
Twitter
Facebook
LinkedIn
Youtube