We were recently able to analyze the routines of the latest DroidKungFu variant, detected as ANDROIDOS_KUNGFU.CI. While we were monitoring the traffic between ANDROIDOS_KUNGFU.CI and its remote server, we chanced upon a command to delete a certain package.
In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.
I did some research on the package, and found that the deleted package is a new DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new component, or update itself.
This particular DroidDreamLight variant, detected as ANDROIDOS_DORDRAE.O, starts its service (called ‘SystemConfService’) when the device boots up or receives/makes a call. It uploads the same information as its previous incarnations.
I wanted to see the notifications created by the malware for myself so I tested it by creating a web server and making the malware connect to it by changing the emulator network setting. Based on my analysis of the code, the malware expects an XML from the server with the following sample format:
The malware shows four types of notifications:
This notification updates the current malware package. When the user clicks on the update notification, the device shows a dialog box asking the user if he/she wants to replace the current app. If the user clicks “OK,” the installation continues. The package to be installed is already pre-downloaded by the malware before showing the notification.
- Download – When the user clicks the download notification, it will download the file specified by the malware server.
- Market – When the user clicks the market notification, the malware will view the Android Market page for the package specified by the server.
- Web – When the user clicks the web notification, the malware will connect to the URL specified by the server.
Below are sample notifications from the malware. Of course, the malware server will put different titles and descriptions (probably with a social engineering twist to it), and will not send the notifications at the same time to avoid suspicion.
Users can check if their phones are infected by going to Settings > Applications > Running Services. Look for the service called ‘SystemConfService.’
Moreover, users can manually remove the malware from their devices by going to Settings > Applications > Manage Applications to uninstall the infected app:
The mentioned DroidKungFu and DroidDreamLight variants are detected as ANDROIDOS_KUNGFU.CI and ANDROIDOS_DORDRAE.O respectively. For more information on mobile threats, please check our Mobile Threat Information Hub.