DroidKungFu Malware Is Evolving

The NC State computer science researchers who first identified the DroidKungFu malware that targets Android users have now uncovered new variations of the malware, which have been modified in what appears to be an attempt to make them harder to detect.

“Though they are similarly repackaged and distributed in the form of ‘legitimate’ applications, these two variants are different from the original one by (1) re-implementing some of their malicious functionalities in native code (instead of Dalvik code based on Java); and (2) supporting two additional command and control (C&C) domains,” says Dr. Xuxian Jiang, an assistant professor at NC State whose team uncovered both DroidKungFu and the variants.

“The changes are possibly in place to make their detection and analysis harder. For example, the new variants bypass the detection from some leading anti-virus software that detect the original DroidKungFu. Also, they increase the difficulty of reverse engineering for analysis. We felt that these changes reflect the evolving malware development on Android, or smartphones in general.” The variants were found in alternative Chinese Android markets.

Jiang’s technical analysis of the new variants is available here. An overview of DroidKungFu is available here.

Jiang’s team also uncovered two additional pieces of Android malware last month, Plankton and YZHCSMS. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread).