• United States



F-Secure warns of Android malware

Oct 25, 20113 mins
Data and Information Security

F-Secure researchers are investigating newish malware targeting Android phones — Trojan Downloader: Android/DroidKungFu.E and Trojan: Android/DroidKungFu.C.

There are currently two write-ups on this in the F-Secure blog, which describes it as an interesting threat using a novel “infection vector.”

Let’s start at the beginning. Yesterday, in a post called “These aren’t the Droid updates you’re looking for,” the lab offered the following quick analysis:

What we can currently tell you is that the original application (downloaded from a third-party market) is free of malicious code. Once installed, the application immediately informs the users that an update is available — and that “update” — installs a variant of Trojan:Android/DroidKungFu.

There’s still some question as to whether the original application developer actually intends for their application to be a used as a DroidKungFu downloader. Possibly, the developer’s back end has been compromised.

Today, they posted a much deeper analysis with a variety of screen shots.

Here’s some of what they had to say in the update:

The application we’ve been analyzing is called, and a quick check into its content reveals a couple of findings. The original application (SHA-1: 5e2fb0bef9048f56e461c746b6a644762f0b0b54) shows no trace of DroidKungFu at first glimpse. Once installed, the application would inform the user that an update is available; when the user installs this update, the updated application would then contain extra functionalities, similar to that found in DroidKungFu malware.

Compared to the original version, the updated application requested for two additional permissions that would allow it to access SMS and MMS messages, and the device’s location. While a difference in permissions may not be the best way to identify whether an update is malicious, it is still a good practice to be aware and suspicious if an application update is requesting for different permissions.

More importantly, the updated application uses an exploit to gain root privilege, which would enable it to perform more potentially unwanted actions.

The language is exactly the kind I wrote about over and over again five-plus years ago. The big difference today is that this stuff almost always seems to be targeting smartphones.

Back then, everything targeted the desktops and I was talking to F-Secure Chief Research Officer Mikko Hypponen about mobile phone malware as some distant years-away concept.

The future has truly arrived.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!