We were recently able to analyze the routines of the latest DroidKungFu variant, detected as ANDROIDOS_KUNGFU.CI. While we were monitoring the traffic between ANDROIDOS_KUNGFU.CI and its remote server, we chanced upon a command to delete a certain package.
In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.
I did some research on the package, and found that the deleted package is a new DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new component, or update itself.