Up to five variants of the ‘DroidKungFu' mobile virus have been detected.
According to Derek Manky, senior security strategist at Fortinet, all of the variants share the same malicious commands, can download and install new software packages, start a program, open a given URL in the browser or delete a package.
In order to do this, all but variant A (which uses a unique server) contact the same three remote web servers.
“As for differences, mainly they rely on whether the sample uses exploits, whether the malicious functionalities are implemented natively, and whether the payload is encrypted with AES, and the key it uses,” said Manky.
A report by North Carolina State University from earlier this year said that DroidKungFu contains advanced techniques to avoid detection by mobile anti-virus software, and a test on two leading mobile security apps by assistant professor Xuxian Jiang and student Yajin Zhou failed to detect DroidKungFu.
Manky further said that DroidKungFu represents the next evolution in mobile malware – as where Zeus in the Mobile (Zitmo) was able to intercept two-factor authentication, DroidKungFu does much more.
“By disguising itself as a legitimate VPN client application, the malware quickly gains root access to the device using social engineering. Once executed, DroidKungFu has the ability to download further malware, open URLs in a browser, start programs and delete files on the system,” he said.