The technique used is to install an application free of the trojan, then once installed, immediately notify the user that an update is available. This update will ask for additional privileges to access SMS and MMS messages, as well as the location data, and once the user agrees to give access, the trojan is installed.
Once installed on the system, the trojan gains root superuser privileges by using an exploit for Android 2.2.
F-Secure says that DroidKungFu will forward confidential details onto a remote server and is distributed on non-authorised Android app sites as trojanised versions of legitimate applications.
Full details including screenshots are available on F-Secure’s blog.
This is a rather interesting way to get malware onto a device. By updating an already-installed application, the malware makers are hoping that users are much less likely to check permission requests on an update.
The really pertinent part for developers is that F-Secure is unsure whether the original developer intended for their software to be used to distribute malware. F-Secure opines that it is possible that the developer’s back-end has been compromised.
How secure are your mobile deployment servers? Would you know if a third party compromised your APKs?