Android/DroidKungFu: attacking from a mobile device?
The Android malware DroidKungFu reports back to the following URLs:
http://[REMOVED]fu-android.com:8511/search/rpty.php http://[REMOVED]fu-android.com:8511/search/getty.php http://[REMOVED]fu-android.com:8511/search/sayhi.php
A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather surprising since, usually, attacks on mobile phones (especially command & control servers) are conducted from a host on the Internet.
$ whois [REMOVED]6.37.93 ... inetnum: [REMOVED]4.0.0 - [REMOVED].255.255 netname: [REMOVED]NET-JS descr: [REMOVED]NET jiangsu province network descr: [REMOVED - Belongs to a Chinese operator] Telecom descr: A12,Xin-Jie-Kou-Wai Street descr: Beijing 100088 country: CN admin-c: CH93-AP tech-c: CJ186-AP mnt-by: APNIC-HM mnt-lower: MAINT-[REMOVED]NET-JS mnt-routes: MAINT-[REMOVED]NET-JS ... status: ALLOCATED PORTABLE source: APNIC
We tried to fingerprint the operating system of the host at that IP address:
curl -F 'imei=12345899;managerid=yutian07' -A 'Mozilla/5.0 (Linux; U; Android 2.1-update1; en-us; ADR6300 Build/ERE27) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17' http://[REMOVED]fu-android.com:8511/search/sayhi.php OK
We can try a few other combinations, but they don't tell much more about the OS it's running on.
Let's try a telnet:
So, it's (likely) an Apache 2.2.3 on a CentOS. Another telnet on Port 22 tells us there's an SSH 4.3 server too:
telnet [REMOVED]fu-android.com 22 Trying [REMOVED]7.93... Connected to [REMOVED]fu-android.com. Escape character is '^]'. SSH-2.0-OpenSSH_4.3
It is technically possible to run a web server and an SSH server on an Android phone, but they would probably offer poor performance. I would rather go for an Android tablet or a computer with a 2G/3G connection. Any other assumption or comment on the motivation behind this Android malware?
-- the Crypto Girl