Tuesday, June 7, 2011

DroidKungFu - just some piece of code

Following the trend of the moment, I play a bit with the sample of DroidKungFu retrieved from the  contagiodump malware sample repository. For obtaining the JAR archive I used dex2jar (http://code.google.com/p/dex2jar/downloads/list) after that I extracted the Dalvik Executable Format embedded in the APK. Once obtained the JAR file is very easy obtain the clear code with (for example) Java Decompiler
One of the more interesting thing is that , at least the variant that I analyzed (md5 39D140511C18EBF7384A36113D48463D) use the method DoSearchReport notified using the well know Google Search gadget. Seems that this malware install as legacy app for grant persistence even after remove the rest of malicious packages from device. This is easily readable from the source code as shown in the following screen shots:

In the screenshot above is shown the  begin of DoSearchReport method where is called a custom method named  (updateInfo() ). While the following screenshot shown the place in the DoSeachReport method where all data , collected from impacted devices, are dropped via HTTP POST:

The data collected and sended to the URL are the following (extracted by code):
Some info about the URL (from Robtex):

Other domains related to the IP address: 

Playing a bit more with the URL above I found this IP form request:

This variant seems forged for Chinese users. In the code there are many others evidence of this.

No comments:

Post a Comment