Results for droidkungfu

Threat Research

Keeping track with DroidKungFu.

As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities. Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*. All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**. Although the F variant intentionally piggybacks legitimate applications that use...

By Karine de PontevesJune 01, 2012

Threat Research

DroidKungFu is getting smarter (hopefully, so am I)

Since the beginning, the malicious Android DroidKungFu family has always been showing technologically advanced features (see one of our previous posts on DroidKungFu). The recent versions of the malware (version F and G) follow the same trend as they are now experiencing ways to hide their malicious behavior in native executables and additionally encrypting string constants within these. For instance, variant F - which has been found to trojan some samples of the famous Cut the Rope game - runs a service named UpdateCheck whose first task is to...

By Axelle ApvrilleMay 11, 2012

Threat Research

Clarifying Android DroidKungFu variants

Much like Ninja Turtles, DroidKungFu now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you :) The similarities and differences between all 5 variants are depicted below. The various blocks represent each variant, and their intersection shows how many methods they share exactly*. All variants share the same malicious commands (CMD box). They can download and install new package, start a program (called...

By Axelle ApvrilleOctober 26, 2011

Threat Research

Android/DroidKungFu: attacking from a mobile device?

The Android malware DroidKungFu reports back to the following URLs: http://[REMOVED]fu-android.com:8511/search/rpty.php http://[REMOVED]fu-android.com:8511/search/getty.php http://[REMOVED]fu-android.com:8511/search/sayhi.php A whois on the corresponding IP address replies with the following most peculiar information: it looks like the IP address belongs to a mobile device (either a phone, or a tablet, or a computer with a 2G/3G connection...) of a well-known Chinese operator. Of course, we have immediately notified this operator. This is rather...

By Axelle ApvrilleJune 16, 2011