Fortinet Blog | News and Threat Research

Since the beginning, the malicious Android DroidKungFu family has always been showing technologically advanced features (see one of our previous posts on DroidKungFu). The recent versions of the malware (version F and G) follow the same trend as they are now experiencing ways to hide their malicious behavior in native executables and additionally encrypting string constants within these.

For instance, variant F - which has been found to trojan some samples of the famous Cut the Rope game - runs a service named UpdateCheck whose first task is to load a so-called “adv3” library :

static {




System.loadLibrary("adv3");




}

Does adv3 stand for advanced? This library surely is … maliciously advanced. Straight after decompilation, it is still difficult to understand, because all string constants are encrypted:

Encrypted strings to be found in Android/DroidKungFu

Fortunately, the encryption algorithm is no match to AES ;). Let’s have a look at the decryption function, named “init_predata”. It’s quite simple: the idea is to process each byte of the encrypted string, byte by byte, apply the bitwise NOT operator to the byte and overwrite the current byte with the result.

Encryption function applies a NOT to each byte

If you want to automate decryption of those strings, you can use Tim Strazzere’s IDA script. Actually, he performs an XOR with 0xFF on each byte, which is equivalent to the bitwise not.

Ok, so, DroidKungFu uses a native library with encrypted string constants. What does the library actually do?

Piping commands to “su

First, notice it drops another executable. Yes! Another ELF executable was hidden within the library… This executable is 26460-byte long and it actually processes commands to the malicious remote C&C server. Like the library, its strings are encrypted with a bitwise not.

Then, it opens a pipe to /system/bin/su (to issue commands as root), creates the command strings (e.g  /system/bin/setprop r0.bot.id value, where r0.bot.id is a property, and value the value to set to that property), and writes the string to the pipe. Thus, the command is executed as root.

– the Crypto Girl