Fortinet Blog | News and Threat Research
  • Products
  • Solutions
  • Service & Support
  • Partners
  • Corporate
  • Resources
  • How to Buy

Keeping track with DroidKungFu.

by RSS Karine de Ponteves  |  June 01, 2012  |  Category: Security Research

As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities.

Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented.

All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package.

Although the F variant intentionally piggybacks legitimate applications that use root privileges so that it doesn’t need to include an exploit to gain them, the G variant uses the Gingerbreak exploit (green knife) so that it doesn’t depend on user interaction to gain root permissions.

Both F and G variants implement malicious functionalities natively (brown circle) and obfuscate string constants (filenames, URLs, commands…) with a bitwise NOT (gradient rectangle).

Variants F and G share 3 new C&C URLs.

Variants A, B, C and F are signed by the same self-signed Google certificate (a), and variants D, E and G use a custom certificate (d, e, and g).

DroidKungFu Variants

References:

* Fortinet’s detailed virus descriptions, including details of native parts ofversion B, version F and version G.

* Lookout’s teardown on Lena (aka DroidKungFu).

Computed using androsim.py by Androguard.

Variant A features a 5th command, execHomepage, but implements it as “not supported”.

by RSS Karine de Ponteves  |  June 01, 2012  |  Category: Security Research
Tags: android dalvik droidkungfu exploit install Malware mobile native
comments powered by Disqus

Category

  • All
  • RSS Subscribe
  • Security Research
  • RSS Subscribe
  • Industry Trends & News
  • RSS Subscribe

FortiGuard Labs on the Web

  • Twitter Twitter
  • Facebook Facebook
  • LinkedIn LinkedIn
  • Youtube Youtube

Monthly Archives

  • May 2013 7
  • April 2013 17
  • March 2013 12
  • February 2013 11
  • January 2013 12
  • December 2012 8
  • November 2012 7
  • October 2012 4
  • September 2012 7
  • August 2012 7
  • July 2012 9
  • June 2012 17
  • May 2012 14
  • April 2012 16
  • March 2012 15
  • February 2012 11
  • January 2012 6
  • December 2011 4
  • November 2011 6
  • October 2011 11
  • September 2011 2
  • August 2011 2
  • July 2011 4
  • June 2011 6
  • May 2011 6
  • April 2011 5
  • March 2011 7
  • February 2011 5
  • January 2011 7
  • December 2010 8
  • November 2010 11
  • October 2010 3
  • September 2010 8
  • August 2010 4
  • July 2010 9
  • June 2010 9
  • May 2010 9
  • April 2010 6
  • March 2010 8
  • February 2010 6
  • January 2010 9
  • December 2009 8
  • November 2009 6
  • October 2009 6
  • September 2009 8
  • August 2009 5
  • July 2009 8
  • June 2009 7
  • May 2009 4
  • April 2009 7
  • March 2009 9
  • February 2009 4
  • January 2009 1
  • Older

Popular topics

sms Windows mobile phones adobe webinar Fortinet zitmo Security google microsoft android botnet challenge symbianos Threat Landscape virut Malware trojan symbos/yxes symbian Anti-Spam Zeus apple reverse engineering hacking challenge iphone Antivirus mobile malware stuxnet Mobile Security network security privacy SpyEye reversing Mac OS X BYOD mobile facebook hashdays UTM FortiGate exploit Cryptography Research Anonymous mobile phone Firewall conference derek manky bredolab