To infect a mobile device, the Rootcager/DroidDream Trojan used two known exploits: exploid and rageagainstthecage. If the first one failed to root the device, the malware would attempt to use the second one.
According to researchers from Lookout, another malicious application that uses the exploid exploit has turned up masked as a legitimate calling plan management application on unofficial Chinese app markets.
What’s more, a version of the app has also been spotted on the Android Market. But, while the first one contains a binary called zHash that attempts to root a device using the aforementioned exploit, the one found on the official market has the same binary but lacks the code required to invoke the exploit.
Lookout warns that the mere existence of the zHash binary on the device leaves it vulnerable to future exploits. “The app’s use of the backdoor shell is extremely limited and not clearly malicious, however, zHash creates a hole in the security layer of the phone, leaving it vulnerable to other applications wanting to take advantage of the device. If the device was successfully rooted by this app, any other app on the device could gain root access without the user’s knowledge.”
They say that Google has removed the application from the Android Market, and used the kill switch again, but the problem here is for those users who downloaded the app from an unofficial market – the app is still there and working.