Last June, several complaints appeared on various Chinese forums about a suspicious program signed with a certificate from Xunlei, which is, according to ESET, the most-used torrent client in the world, with more than 100 million peer IDs. In comparison, the better-known uTorrent peaks at 92 million peer IDs.
The news spread rapidly and ended up in the headlines of many Chinese websites – though it was never reported outside of China.
Xunlei is basically a download accelerator: it offers a searchable index of billions of media files that users can download with the proprietary Xunlei software. When a user starts a download via its browser or torrent client, it chooses the best possible location for the file in order to maximize the download speed.
KanKan is not overtly malicious. However, it acts as a backdoor – a way to obtain persistence on the system (it registers an Office plugin with no Office functionalities). It also silently installs mobile applications on Android phones connected to the computer via USB – which is, of course, suspicious in and of itself.
“According to our analysis, all these applications provide real features to the user,” said ESET researcher Joan Calvet. “Three of them are Android markets, which allow the user to download various applications onto his phone. We were not able to find any clearly malicious features in these applications. It is still worth noticing, though, that their code is heavily obfuscated.”
The last one, still available on Google Play at the time of writing, allows the user to make phone calls at what it says are advantageous rates. “Nevertheless, it exhibits some suspicious features, like regular contacts with URLs known to distribute adware for Android phones,” Calvet said.
The use of a fake Office plugin to gain persistence, the ability to silently install Android applications, and the backdoor functionalities, "confirm the validity of the concerns of Chinese users and explains why ESET detects this program as malicious, under the name Win32/Kankan,” according to Calvet.
“There are still some open questions, like the original infection vector and the exact reason the Android applications were installed,” Calvet added. “Finally, the degree to which Xunlei Networking Technologies were implicated is hard to tell from the outside.”
For affected users, Xunlei has released an uninstaller.