DroidKungFu¶
Root exploit trojan discovered in 2011 by researchers at North Carolina State University. DroidKungFu used AES-encrypted exploit payloads and a two-stage infection chain that evolved across five major variants, progressively moving malicious code from Dalvik bytecode to native libraries to evade detection.
Overview¶
| Property | Value |
|---|---|
| First Seen | March 2011 |
| Type | Root exploit trojan / Backdoor |
| Attribution | Unknown (Chinese app market distribution) |
| Aliases | Backdoor.AndroidOS.KungFu (Kaspersky), Android.Gongfu (Dr.Web), Android.Fokonge (Symantec) |
Distribution¶
Repackaged legitimate games distributed through third-party Chinese app markets. Some samples reached the official Android Market.
Capabilities¶
| Capability | Implementation |
|---|---|
| Root exploits | AES-encrypted rageagainstthecage (CVE-2010-EASY) and exploid (CVE-2009-1185) |
| Payload delivery | Two-stage: root exploit first, then trojan payload installed as fake Google Search app ("legacy") |
| Backdoor | Full C2 bot: install/uninstall apps, exfiltrate device data |
| Data exfiltration | IMEI, Android version, phone model, mobile number, network operator, SD card info |
Variant Evolution¶
| Variant | Key Change |
|---|---|
| KungFuA | Dalvik-based, single C2 server |
| KungFuB | Malicious code moved to native libraries, three C2 servers |
| KungFuC | Inherited from B with minor changes |
| KungFuD | Encrypted native binaries |
| KungFuE | Encrypted strings for additional obfuscation |
Each variant specifically targeted detection methods used against previous versions, demonstrating an early example of the cat-and-mouse dynamic between malware authors and security researchers.