NVISO ApkScan malware analysis report

May 22, 2019

 
General information
File nameNewKingrootV4.52_C127_B227_xda_release_2015_09_28_105243_.apk
Other known file namesKingroot_v4.5_.2_build928_(One_Click_Root)_.apk, NewKingrootV4.5_.2_.apk
OriginManually uploaded by anonymous user [2019-01-02 20:09:28]
MD5 hash9660d89810ceaeba61b382f55d4ed35e
SHA256 hashcc4bcff8991af0293d14c6354c087d9d422fd309e5b12dc7c324a3aef527c27f
File size5463.61 KB
WorkerNVISO_API_KALI_01
Static malware analysis
Android manifest (AndroidManifest.xml)
Permissions
ACCESS_MOCK_LOCATION Allows an application to create mock location providers for testing
ACCESS_NETWORK_STATE Allows applications to access information about networks
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BLUETOOTH Allows applications to connect to paired bluetooth devices
CAMERA Required to be able to access the camera device.
CHANGE_NETWORK_STATE Allows applications to change network connectivity state
CHANGE_WIFI_MULTICAST_STATE Allows applications to enter Wi-Fi Multicast mode
CHANGE_WIFI_STATE Allows applications to change Wi-Fi connectivity state
DIAGNOSTIC Allows applications to RW to diagnostic resources.
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks.
INSTALL_PACKAGES Allows an application to install packages.
INTERNET Allows applications to open network sockets.
MOUNT_UNMOUNT_FILESYSTEMS Allows mounting and unmounting file systems for removable storage.
READ_LOGS Allows an application to read the low-level system log files.
READ_PHONE_STATE Allows read only access to phone state.
RECEIVE_BOOT_COMPLETED Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
SYSTEM_ALERT_WINDOW Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of all other applications.
ACCESS_CACHE_FILESYSTEMUnknown permission
ACCESS_MTK_MMHWUnknown permission
activityCalledUnknown permission
REQUESTUnknown permission
WAKE_LOCK Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming
WRITE_EXTERNAL_STORAGE Allows an application to write to external storage.
Services
Class com.kingroot.kinguser.service.SuNotifyService
Class com.kingroot.kinguser.service.SuService
Class com.kingroot.kinguser.service.KingRootAppListService
Class com.kingroot.kinguser.service.KuCommonService
Virus Total scan results
Ad-AwareAndroid.Riskware.Downloader.gMKLE
AegisLabAndroid.Kingroot.Gen!c
AhnLab-V3Android-AppCare/Kingroot.10206
Antiy-AVLTrojan/Android.TSGeneric
Avast-MobileAPK:RepMalware [PUP]
AVwarePUP.AndroidOS.kingroot
BitDefenderAndroid.Riskware.Downloader.gMKLE
CAT-QuickHealAndroid.DroidRooter.A (PUP)
ClamAVAndr.Malware.Agent-1575530
CyrenAndroidOS/GenPua.9660D898!Olympus
EmsisoftAndroid.Riskware.Downloader.gMKLE (B)
ESET-NOD32a variant of Android/DroidRooter.AG potentially unsafe
F-SecureAndroid.Riskware.Downloader
FortinetRiskware/Generic.Z.4F41C2!Android
GDataAndroid.Riskware.Downloader.gMKLE
IkarusPUA.AndroidOS.DroidRooter
MAXmalware (ai score=79)
McAfeeArtemis!9660D89810CE
McAfee-GW-EditionArtemis
MicroWorld-eScanAndroid.Riskware.Downloader.gMKLE
NANO-AntivirusTrojan.Android.Rooter.drlftw
SophosAndroid KingRoot (PUA)
SymantecTrojan.Gen.2
SymantecMobileInsightHacktool:Lotoor
ZonerTrojan.AndroidOS.Spy.D
Disassembled source code
Hardcoded URL's
Dynamic malware analysis
Screenshot or animated GIF of the analysed application

Random artificial input is provided to the scanned applications during dynamic analysis, in order to mimic a human being using and interacting with the application. This can result in our report showing a different screen than the one you would see when starting the application.

Disk activity
Accessed files
Filename/data/data/com.kingroot.kinguser/applib/libNativeRQD.so
Filename/data/data/com.kingroot.kinguser/app_kpex/kp_plugin_kingroot.p
Filename/proc/1227/cmdline
Filename/data/data/com.kingroot.kinguser/applib/kmPlugins.apk
Filename/data/data/com.kingroot.kinguser/applib/kd
Filenamepipe:[3603]
Filename/data/data/com.kingroot.kinguser/applib/su
Filename/data/data/com.kingroot.kinguser/files/40251.dat
Filenamepipe:[3627]
Filename/data/data/com.kingroot.kinguser/applib/libhxy.so
Filenamepipe:[3629]
Filename/data/data/com.kingroot.kinguser/applib/ktools
Filename/data/data/com.kingroot.kinguser/applib/otasurvival.sh
Filenamepipe:[5082]
Filenamepipe:[3730]
Filename/proc/24/cmdline
Filename/proc/1145/cmdline
Filename/proc/41/cmdline
Filename/proc/11/cmdline
Filename/data/data/com.kingroot.kinguser/shared_prefs/switchStats.xml
Filename/proc/1189/cmdline
Filenamepipe:[3634]
Filename/data/data/com.kingroot.kinguser/files/tsset.dat
Filename/proc/274/cmdline
Filename/data/data/com.kingroot.kinguser/files/kulibs.conf
Filenamepipe:[3702]
Filename/proc/1418/cmdline
Filenamepipe:[3701]
Filename/proc/734/cmdline
Filename/proc/39/cmdline
Filename/proc/1343/cmdline
Filenamepipe:[5090]
Filename/data/data/com.kingroot.kinguser/shared_prefs/DENGTA_META.xml
Filename/proc/28/cmdline
Filename/data/data/com.kingroot.kinguser/shared_prefs/actionStats.xml
Filenamepipe:[3628]
Filenamepipe:[3765]
Filename/proc/589/cmdline
Filenamepipe:[3604]
Filename/data/data/com.kingroot.kinguser/files/cl.conf
Filenamepipe:[4948]
Filename/proc/1316/cmdline
Filenamepipe:[3586]
Filenamepipe:[3766]
Filename/proc/623/cmdline
Filenamepipe:[3633]
Filename/proc/512/cmdline
Filename/proc/1/cmdline
Filename/proc/1313/cmdline
Filenamepipe:[3584]
Filename/proc/12/cmdline
Filename/proc/27/cmdline
Filenamepipe:[3585]
Filenamepipe:[3721]
Filenamepipe:[3694]
Filename/proc/463/cmdline
Filename/proc/30/cmdline
Filenamepipe:[3653]
Filename/proc/1318/cmdline
Filenamepipe:[3703]
Filename/proc/1271/cmdline
Filename/proc/10/cmdline
Filename/data/anr/traces.txt
Filenamepipe:[3693]
Filename/data/data/com.kingroot.kinguser/shared_prefs/RootManagerSetting.xml
Filename/proc/35/cmdline
Filename/proc/40/cmdline
Filename/proc/1419/cmdline
Filename/proc/1025/cmdline
Filename/proc/478/cmdline
Filename/proc/37/cmdline
Filename/proc/34/cmdline
Filenamepipe:[3654]
Filename/proc/4/cmdline
Filename/dev/input/event0
Filename/proc/42/cmdline
Filenamepipe:[3635]
Filename/proc/33/cmdline
Filenamepipe:[3655]
Filename/proc/695/cmdline
Filename/proc/3/cmdline
Filename/proc/1094/cmdline
Filename/proc/9/cmdline
Filename/proc/1366/cmdline
Filename/proc/1243/cmdline
Filenamepipe:[3605]
Filename/proc/584/cmdline
Filename/proc/352/cmdline
Filename/proc/7/cmdline
Filename/proc/491/cmdline
Filename/proc/273/cmdline
Filename/proc/1256/cmdline
Filename/proc/1405/cmdline
Filenamepipe:[3722]
Filename/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml
Filename/proc/826/cmdline
Filename/proc/26/cmdline
Filename/data/data/com.kingroot.kinguser/files/xda_config.dat
Filename/proc/785/cmdline
Filename/proc/1131/cmdline
Filename/proc/1011/cmdline
Filename/proc/29/cmdline
Filename/proc/5/cmdline
Filename/proc/675/cmdline
Filename/proc/25/cmdline
Filename/proc/6/cmdline
Filename/data/data/com.kingroot.kinguser/files/40246.xdat
Filename/proc/1300/cmdline
Filename/proc/13/cmdline
Filename/proc/272/cmdline
Filename/proc/14/cmdline
Filename/proc/656/cmdline
Filenamepipe:[3731]
Filename/proc/2/cmdline
Filename/proc/8/cmdline
Filename/proc/46/cmdline
Filename/data/data/com.android.vending/shared_prefs/finsky.xml
Filename/proc/45/cmdline
Network activity
Opened network connections
Destination203.205.146.45:80File descriptor63
Destination203.205.146.45:80File descriptor152
Automatically placed calls and text messages
Placed phone calls
No phone calls were placed automatically.
Sent SMS messages
No text messages were placed automatically.
Cryptographic activity
Used encryption keys
AlgorithmAES
Key51, 69, 66, 52, 67, 67, 67, 51, 57, 53, 67, 68, 67, 67, 50, 50, 57, 69, 51, 52, 48, 48, 57, 52, 70, 49, 65, 57, 55, 49, 66, 50
  
AlgorithmDES
Key42, 94, 64, 75, 35, 75, 64, 33
  
AlgorithmDES
Key83, 40, 64, 76, 64, 76, 64, 41
  
Encryption operations
No cryptographic activity detected.
Decryption operations
No cryptographic activity detected.
Information leakage
Network information leakage
No network information leakage detected.
SMS information leakage
No SMS information leakage detected.
File information leakage
No file information leakage detected.
Miscellaneous
Started services
Service namecom.kingroot.kinguser.service.SuService
Output generated by ADB logcat
Download ADB logcat file (text format - 4189 KB)
report overview | terms & conditions | support & feedback | nviso.be