We recently received a sample of Android malware currently circulating in the Web, known as DroidDreamLight. Once executed on an infected device, this malware steals mobile-specific information and uses this data for malicious activities.
- Device model
- Language and Country
- International Mobile Equipment Identity (IMEI)
- International Mobile Subscriber Identity (IMSI)
- SDK version
- List of installed apps
It also connects to several URLs in order to phone or connect to “home” and upload the gathered data.This malware also comes with a config file named prefer.dat where encrypted URLs are stored. The said file is located in the asset folder of the package.
It uses the string ‘DDH#X%LT’ for its decryption key. The config files looks like this when decrypted:
As of this writing, the said URLs are not accessible.
This malware is triggered when the android.intent.action.PHONE_STATE intent is received, such as when a user receives or makes a voice call. Once triggered, it initiates its own service called CoreService.
Users can check their phone if they are infected by ANDROIDOS_DORDRAE.L by going to Settings>Applications>Running Services.
Infected users can manually remove the malware from their system by going to Settings>Applications>Manage Applications and uninstall this malicious app. For more information, you may refer to Trend Micro’s Threat Encylopedia entry for ANDROIDOS_DORDRAE.L.
Trend Micro also offers protection for Android mobile devices through Mobile Security for AndroidT.
Because of the “open” nature of Android Market, users are likely to encounter several Android malware posing as Android app. Cybercriminals can craft malicious apps, which they can easily upload in the Android Market and make these available to ordinary users. To know more about mobile security, specifically to prevent downloading and installing fake Android apps, users may refer to our comprehensive report 5 Simple Steps to Secure Your Android-Based Smartphones.
Additional data provided by Kervin Alintanahin and Julius Dizon.
Leave a reply