By Dan Raywood November 04, 2011
Up to five variants of the ‘DroidKungFu’ mobile virus have been detected.
According to Axelle Aprville, senior computer security engineer at Fortinet, all of the variants share the same malicious commands, can download and install new software packages, start a program, open a given URL in the browser or delete a package.
In order to do this, all but variant A (which uses a unique server) contact the same three remote web servers.
“As for differences, mainly they rely on whether the sample uses exploits, whether the malicious functionalities are implemented natively, and whether the payload is encrypted with AES, and the key it uses,” said Aprville.
A report by North Carolina State University from earlier this year said that DroidKungFu contains advanced techniques to avoid detection by mobile anti-virus software, and a test on two leading mobile security apps by assistant professor Xuxian Jiang and student Yajin Zhou failed to detect DroidKungFu.
According to Derek Manky, senior security strategist at Fortinet, DroidKungFu represents the next evolution in mobile malware – as where Zeus in the Mobile (Zitmo) was able to intercept two-factor authentication, DroidKungFu does much more.
“By disguising itself as a legitimate VPN client application, the malware quickly gains root access to the device using social engineering. Once executed, DroidKungFu has the ability to download further malware, open URLs in a browser, start programs and delete files on the system,” he said.