The technique used is to install an application free of the trojan, then once installed, immediately notify the user that an update is available. This update will ask for additional privileges to access SMS and MMS messages, as well as the location data, and once the user agrees to give access, the trojan is installed.
Once installed on the system, the trojan gains root superuser privileges by using an exploit for Android 2.2.
F-Secure says that DroidKungFu will forward confidential details onto a remote server and is distributed on non-authorised Android app sites as trojanised versions of legitimate applications.
Full details including screenshots are available on F-Secure's blog.
This is a rather interesting way to get malware onto a device. By updating an already-installed application, the malware makers are hoping that users are much less likely to check permission requests on an update.
The really pertinent part for developers is that F-Secure is unsure whether the original developer intended for their software to be used to distribute malware. F-Secure opines that it is possible that the developer's back-end has been compromised.
How secure are your mobile deployment servers? Would you know if a third party compromised your APKs?
Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining the company as a programmer.Leaving CBS Interactive in 2010 to follow his deep desire to study the snowdrifts and culinary delights of Canada, Chris based himself in Vancouver and paid for his new snowboarding and poutine cravings as a programmer for a lifestyle gaming startup.Chris returns to CBS in 2011 as the Editor of TechRepublic Australia determined to meld together his programming and journalistic tendencies once and for all.In his free time, Chris is often seen yelling at different operating systems for their own unique failures, avoiding the dreaded tech support calls from relatives, and conducting extensive studies of internets — he claims he once read an entire one.