Security Alert: New Android Malware — DKFBootKit — Moves Towards The First Android BootKit

NQ Mobile Security Research Center has recently uncovered a new malware –DKFBootKit. This malware is identified when monitoring and analyzing the evolution of earlier DroidKungFu variants. While it uses known techniques to piggyback malicious payloads into legitimate apps, it intentionally chooses legitimate apps that require root privilege to facilitate its payload. Specifically, by taking advantage of the root privilege, DKFBootKit adds itself as a part of the boot sequence of the original Android system and replaces a number of utility programs (e.g., ifconfig and mount). By doing so, the malware can get started even before the entire Android framework is bootstrapped. To the best of our knowledge, this malware is the first of its kind in moving towards a full-fledged bootkit on Android, which represents a serious threat to mobile users. Based on our initial investigation, we have so far identified more than 100 infected malware samples and it seems this number continues to grow at the time of writing this report.

HOW IT WORKS?

Based on our analysis, DKFBootKit repackages legitimate apps by enclosing its own malicious payloads in them.  However, the victim apps it chooses to infect are utility apps which require the root privilege to work properly. In the samples we analyzed, the infected apps range from ones managing apps installed on the phone, unlocking popular games, to others providing the license keys for some (premium) paid apps. These apps seem to have legitimate reasons to request root privilege for their own functionality. It is also reasonable to believe that users will likely grant the root privilege to these apps. However, DKFBootKit makes use of the granted root privilege for other malicious purposes, namely comprising the system integrity. We believe DKFBootKit is much more stealthy than the earlier DroidKungFu variants, which rely on existing exploits to gain root privilege. In the following, we show a screenshot of one DKFBootKit-infected sample that intends to provide the license key for a paid version of ROM managment app.

 

 

Based on our study, DKFBootKit adds a common background service to victim apps, which once run will release a hidden executable program. This hidden program will check whether it has the root privilege. If not, it terminates itself. Otherwise, it mounts the system partition as writable, copies itself into the /system/lib directory, replaces several commonly-used utility programs (e.g.,ifconfig and mount), and alters related daemons (e.g., vold and debuggerd) and bootstrap-related scripts. The purpose seems to allow itself to run earlier than the Android framework is initialized to start other apps. Moreover, the malware itself contains a bot payload that phones home to several remote C&C servers and waits for further commands. It’s worth mentioning that becauseDKFBootKit utilizes the root privilege, it can execute arbitrary commands. We are still in the process of actively monitoring DKFBootKit C&C servers. An initial investigation of these C&C servers show that the related domains were registered in January, 2012.

Mitigation:

Due to the fact that DKFBootKit utilizes the root privilege and can be remotely controlled to install or remove apps without user’s knowledge, we believe it poses serious threats to mobile users. To avoid becoming a victim, please follow common-sense guidelines for smartphone security:

1)  Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading.

2)  Never accept application requests from unknown sources. Closely monitor permissions requested by any application; an application should not request permission to do more than what it offers in its official list of features.

3) Be alert for unusual behavior on the part of mobile phones and be sure to download a trusted security application that can scan the applications being downloaded onto your mobile device. NQ Mobile Security users are already fully protected from the “DKFBootKit  threat. NQ Mobile Security  for Android is available for download at http://www.nq.com/mobilesecurity and on Android Market.

 

31 thoughts on “Security Alert: New Android Malware — DKFBootKit — Moves Towards The First Android BootKit

  1. Pingback: New malware DKFBootkit hits Android devices | Telecom News,Telecom Updates, Latest Technology News, Mobile Launched, India | TelecomSeva

  2. Pingback: DKFBootKit, primer malware bootkit para Android

  3. Pingback: Malware Alert: DKFBootkit embedded into pirated applications [Be careful what … | VirusFreePhone.com

  4. Pingback: Security Alert: New Android Malware — DKFBootKit — Moves Towards The First Android BootKit « Yury Chemerkin

  5. Pingback: DKFBootKit – First Android BootKit Malware | | iGuRu - Νέα

  6. Pingback: Warning! – Pirated Android Apps May Be Installing Malware, Targeting Rooted Phones

  7. Pingback: Android 平台發現首個 BootKit 惡意程式 | Android 資訊雜誌 android-hk.com

  8. Pingback: Android 平台發現首個 BootKit 惡意程式 App-Goog-les

  9. Pingback: nationaltravelline.co.uk » Blog Archiv » New malware appearing in dodgy apps you shouldn’t be downloading anyway

  10. Pingback: Potential first Android bootkit spotted | VirusFreePhone.com

  11. Pingback: Android-Bot greift befreite Smartphones an | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen

  12. Pingback: Android – ist eine Welle von BootKit Schädlingen im Anflug? - ITler.NET - Der Blog für ITler und Sysadmins

  13. Pingback: Android bot attacks rooted smartphones | CYBERSEECURE

  14. Pingback: Android rootkit poisons apps that give users root control | Apps for Android and Games

  15. Pingback: Android rootkit poisons apps that give users root control | I want android apps

  16. Pingback: NQ Mobile Warns of New Android Malware Variant | VirusFreePhone.com

  17. Pingback: Android rootkit poisons apps that give users root control | VirusFreePhone.com

  18. Pingback: Anonymous

  19. Pingback: Android: Trojaner bedroht gerootete Smartphones

  20. Pingback: Android DKFBootKit | FGR* Blog

  21. Pingback: Android rootkit poisons apps that give users root control | androidless.net

  22. Pingback: First Google Android Bootkit Found - Dark Reading

  23. Pingback: First Google Android Bootkit Found | VirusFreePhone.com

  24. Pingback: The First Android Bootkit Malware Stealing Personal Information From User Devices Was Finally Uncovered

  25. Pingback: Vírus para Android ataca aparelhos e modifica inicialização - webdig Blog

  26. Pingback: Android rootkit poisons apps that give users root control | News24

  27. Pingback: Malware “DKFBootKit” Ataca Smartphones com Android « BLOG do Aureliano

  28. Pingback: What You Need To Know About Android Bootkit « FedSolutions – IT Management & Consulting

  29. Pingback: Attack of the Androids - AotA 30: Bootkits

  30. Pingback: AotA 30: BootkitsAttack of the Androids

  31. Pingback: Cyber-arabs