Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
This is the latest variant of DroidKungFu.
To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.
This spyware arrives via a Trojanized version of the Android applications OneKeyVpn (一键翻墙).
It gathers information such as affected phone brand and model, as well as the Android OS version installed. It also connects to C&C servers to receive commands.
This spyware may be manually installed by a user.
It arrives via a Trojanized version of the Android applications OneKeyVpn (一键翻墙).
It gathers the following information and writes it to the file /system/etc/.rild_cfg:
It decrypts the file WebView.db.init in its assets folder in the malware APK file and saves the decrypted version as /system/etc/.dhcpcd and /system/xbin/ccb. It then changes the permission of the dropped file /system/xbin/ccb to full permissions to the file owner, and read and execute permissions for the others. It then executes the file /system/xbin/ccb.
It terminates the processes /system/bin/installd and /system/bin/dhcpcd. It then copies /system/bin/installd and /system/bin/dhcpcd to /system/bin/installdd and /system/bin/dhcpcdd, respectively, as backup. It then overwrites the original /system/bin/installd and /system/bin/dhcpcd with /system/xbin/ccb.
It creates the file /data/dhcpcd.lock as a marker to indicate that it has started to communicate with it's C&C server. It then connects to the following C&C servers to receive backdoor commands:
It may receive the following backdoor commands:
Trend Micro Mobile Security Solution
Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.
Download and install the Trend Micro Mobile Security App via Google Play.
Remove unwanted apps on your Android mobile device
To remove unwanted apps on your mobile device:
Connect with us on
| | | |