In February 2012, we blogged about Android.Bmaster (a.k.a. Rootstrap), which infected hundreds of thousands of devices. At that time, it was the largest mobile botnet documented to date. Recently, the Bmaster botnet has been overtaken by the newly uncovered MDK botnet. Dubbed as Android.Troj.mdk, Kingsoft believes it is hidden in more than 7,000 apps and has infected up to one million devices.
Symantec’s analysis suggests the MDK Trojan is a new variant of Android.Backscript. Our detection for this threat family has been in place since September 2012. The code of MDK is very similar to Android.Backscript and they use the same certificate to sign APKs. However, unlike the previous versions, this new variant uses an Advanced Encryption Standard (AES) algorithm to encrypt data, like servers and commands, in a file.
Figure 1. The same certificate used by MDK and Android.Backscript
Figure 2. File containing encrypted Servers and commands
Once installed, the Trojan enables the attacker to remotely control users’ devices, consequently allowing the attacker to harvest user data, download additional APKs, and generate nuisance adware. The following server is used to download scripts and additional APKs:
The Trojan has been repackaged into legitimate apps, including popular games such as Temple Run and Fishing Joy, to lull users into installing the malware. The Trojan also uses dynamic loading, data encryption, and code obfuscation to evade detection.
Figure 3. Trojanized Temple Run, malicious service “m” started to decrypt data
Symantec detects this MDK botnet as Android.Backscript. Our detection has caught more than 11,000 malicious apps. The infections appear to be confined to China as the Trojanized apps are mostly found on Chinese third-party markets.
Android users can stay safe by only downloading apps from well-known and trusted app vendors, and by installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on the device. For general smartphone and tablet safety tips, please visit our Mobile Security website.