Threat Research

Keeping track with DroidKungFu.

By Karine de Ponteves | June 01, 2012

As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities.

Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*.

All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**.

Although the F variant intentionally piggybacks legitimate applications that use root privileges so that it doesn't need to include an exploit to gain them, the G variant uses the Gingerbreak exploit (green knife) so that it doesn't depend on user interaction to gain root permissions.

Both F and G variants implement malicious functionalities natively (brown circle) and obfuscate string constants (filenames, URLs, commands...) with a bitwise NOT (gradient rectangle).

Variants F and G share 3 new C&C URLs.

Variants A, B, C and F are signed by the same self-signed Google certificate (a), and variants D, E and G use a custom certificate (d, e, and g).

DroidKungFu Variants


*Computed using by Androguard.

**Variant A features a 5th command, execHomepage, but implements it as “not supported”.

Join the Discussion