Fortinet Blog | News and Threat Research

Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :)

The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly.

All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called activity), open a given URL in the browser or delete a package. To do so, they contact the same 3 remote web servers (URLs box), apart from variant A which uses a single one.

As for differences, mainly, they rely on whether the sample uses exploits or not (yellow and red knife), whether the malicious functionalities are implemented natively or not (brown circle or green box) and whether some payload is encrypted with AES or not (hatched rectangle) and the key it uses. Note that variant E has the particularity of encrypting a few strings to obfuscate its code (/system/bin/chmod 4755, WebView.db.init etc).

A few other similarities are not mentioned on the picture, such as the re-use of filenames and signing certificates. For instance, native code is typically in a file named WebView.db.init, and for certificates, variant A, B and C are signed by the same self-signed Google certificate, whereas variant D and E use a custom certificate.

References:

* Fortinet’s detailed virus descriptions, including details of native part inside version B. * Lookout’s teardown on LeNa (aka DroidKungFu)

– the Crypto Girl

• Computed using androsim.py from Androguard.

** Actually, variant A features a fifth command, execHomepage, but implements it as “not supported”.