GroDDViewer: DroidKungFu1

Sample name: 881ee009e90d7d70d2802c3193190d973445d807

Malware Family

Undesired applications installation

Sample description:

The first thing we observe on the SFG is the presence of a process named gjsvro. gjsvro is executed two times but we represent the two processes with a single node on the graph. During the first execution, gjsvro tries to get root privileges by using the udev exploit. If the exploit succeeds, the content of /proc/sys/kernel/hotplug is changed to execute gjsvro with root privileges during the second execution. Unfortunately, this exploit does not work on our test device because the vulnerability has been patched on recent Android versions. Since the exploit failed, the malware uses the su binary to launch gjsvro a second a time with root privileges. During the second execution, the process starts with cleaning the content of /proc/sys/kernel/hotplug because it assumes that the exploit worked. This explains the flow from the process to the file on the graph. Next, the same process writes data in two files, gjsvr and com.google.ssearch.apk, located in the system partition. The two files are applications meant to be installed because they are located in the /system/bin and /system/app directories: com.google.ssearch.apk is read by the processes in charge of installing new applications and a new process with the same name reads data from this APK.

File details:

  • MD5 : 7f5fd7b139e23bed1de5e134dda3b1ca
  • SHA256 : 54f3c7f4a79184886e8a85a743f31743a0218ae9cc2be2a5e72c6ede33a4e66e
  • Size : 141.4 KB
View mode
System Flow Graph
Type: Group: Socket: .txt: .db-wal: .xml: .tmp: .sqlite: .db: .apk: .db-mj6DDBEA0D: .dex: .db-journal: .sqlite-journal: .shaders_cache: .txt: .db-wal: .xml: .tmp: .sqlite: .db: .apk: .db-mj6DDBEA0D: .dex: .db-journal: .sqlite-journal: .shaders_cache:
Grid Layout
Nb processes:
  • Graph legend
  • process
  • file
  • socket
Interactions frequency and zoom on time intervals
Min: 0 | Max: 1000 |
Current: 0
Speed: 500