Two recent bits of research have unearthed some nasty malware that target Android devices. The first is a variant of the DroidKungFu malware which uses known Android exploits to root the victim’s device and install itself without the user knowing. The second, known as TigerBot, differs from “traditional” malware in that it is controlled via SMS rather than from a command & control (C&C) server on the Internet. Both pieces of malware are most prevalent on alternative markets, which again underlines the need for caution when going outside of Google Play or the Amazon Appstore.
Discovered in the middle of last year, the original DroidKungFu targeted Chinese speakers and was found in alternative Chinese app markets. However, over time it has been modified and did, at some point, find its way into the official Android marketplace. The original version included two built-in exploits which could root devices with Android up to and including Android 2.2.1. With most users going beyond 2.2.1, the next variant skipped the need to root devices and only attacked devices which had been previously rooted by users. If the malware found its way onto a device which wasn’t rooted it provided users with some helpful instructions on how to root the device. How kind!
The latest version embeds the popular GingerBreak exploit, which means that DroidKungFu will silently root the device and install itself as malware without any user interaction. GingerBreak uses a bug in the vold volume manager daemon on Android 3.0 and 2.x before 2.3.4. The Daemon explicitly trusts messages that are received from a PF_NETLINK socket, and by using a negative index, it is possible to trigger a memory corruption that allows arbitrary code execution and ultimately the granting of root privileges.
This malware has been hidden in various apps including a fully functional copy of the recently released Angry Birds Space. Clearly, the hackers are hoping to capitalize on the popularity of the Angry Birds series. At this time the malware has not been seen in Google Play.
A common aspect of Android malware is the use of a command and control server that tells the malware what to do next and acts as a repository for any captured passwords or banking information. TigerBot, discovered by the NQ Mobile Security Research Center in collaboration with Dr. Xuxian Jiang’s team at North Carolina State University, is different, in that it is controlled via text messages.
The current information about this malware show that it can execute a range of commands including uploading the phone’s current location, sending SMS messages, and even recording phone calls. It works by intercepting SMS messages sent to the phone and checking to see if they are commands for it to act. If they are, it executes the command and then prevents the message from being seen by the user.
TigerBot tries to hide itself from the user by not showing any icon on the home screen and by using legitimate sounding app names (like System) or by copying names from trusted vendors like Google or Adobe.
Beware of malware
As always, you should be vigilant to ensure that you device does not become infected:
- Only download apps from trusted app markets, and always check the reviews, ratings, and developer information before downloading.
- Watch what permissions are requested by an app and never install an app that asks for more than what it needs. For example an app should not need to be able to read SMS messages (android.permission.READ_SMS or android.permission.RECEIVE_SMS) unless it is an SMS related app.
- Be alert for unusual behaviors on your phone, including strange charges to your phone bill or unexpected apps that launch at start-up or when the device is locked.