ANDROIDOS_DROIDKUNGFU.B

This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."

It uses its root privilege to install a malicious package named LEGACY found in its assets folder. This is installed on the system folder as a specific file. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.

It has a service called SearchService, which is responsible for all its backdoor routines.

It then posts the gathered information to specific URLs.

It also sends a malware specific string to a specific number, which is probably its version number.

It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.

It connects to specific URLs to send and receive commands from a remote user.

Arrival Details

This malware arrives via the following means:

• Via Trojanized Android applications

NOTES:

This malware roots the device using components employed by ANDROIDOS_LOTOOR.A. However, the said components are encrypted with AES and are decrypted at the time that they are used by using the decryption key, "Fuck_sExy-aLl!Pw."

It uses its root privilege to install a malicious package named LEGACY found in its assets folder. This is installed on the system folder as /system/app/com.google.ssearch.apk. This is done so that the malware can stay in the device even if the Trojanized Android app is already removed.

It has a service called SearchService, which is responsible for all its backdoor routines.

• IMEI
• OS release version
• SDK version
• Mobile number
• Model of the phone
• network operator
• type of connection (i.e. WIFI, MOBILE)
• Available system memory
• SDCARD free space

It then posts the gathered information to the following URL:

• http://{BLOCKED}h.gongfu-android.com:8511/search/sayhi.php

It also sends a malware specific string, sp01, which is probably its version number.

It also sets the value of root to 1 if the device has successfully been rooted or 0 if it is not. This status is also sent to the server.

The following is the list of its backdoor routines:

• execHomepage - a placeholder that currently does not contain codes
• execInstall - downloads and installs a package
• execStartApp - runs a package
• execDelete - uninstalls a package
• execOpenUrl - opens a URL

The said commands are obtained from the following URL:

• http://{BLOCKED}h.gongfu-android.com:8511/search/getty.php

It reports the result (if it fails to complete the command or not) on the following URL:

• http://{BLOCKED}h.gongfu-android.com:8511/search/rpty.php