As explained in our previous post (DroidKungFu is getting smarter), DroidKungFu now comes in 7 different flavors. Here is an updated graph of their similarities.
Just like our previous graph (Clarifying Android DroidKungFu variants), each block represents a variant, intersections showing how many similar methods are implemented*.
All variants can download and install new packages, start an application (activity), open a URL in the browser and delete a package**.
Although the F variant intentionally piggybacks legitimate applications that use root privileges so that it doesn't need to include an exploit to gain them, the G variant uses the Gingerbreak exploit (green knife) so that it doesn't depend on user interaction to gain root permissions.
Both F and G variants implement malicious functionalities natively (brown circle) and obfuscate string constants (filenames, URLs, commands...) with a bitwise NOT (gradient rectangle).
Variants F and G share 3 new C&C URLs.
Variants A, B, C and F are signed by the same self-signed Google certificate (a), and variants D, E and G use a custom certificate (d, e, and g).
Lookout's teardown on Lena (aka DroidKungFu).
*Computed using androsim.py by Androguard.
**Variant A features a 5th command, execHomepage, but implements it as “not supported”.