We recently found a new variant of DroidDreamLight in the Android Market. The app promotes itself as an application which helps users manage APK files on their device. The sample was downloaded 50-100 times before it was removed from the Android Market.
The malware sample we found, detected as ANDROIDOS_DORDRAE.M, is inside an app called App Installer. Once executed, the main class of the app starts the malware service called AppUseService.
The malware service still runs even if the app is not executed. It can be started when an Intent called android.intent.action.PHONE_STATE is triggered, which is every time the device makes or receives a call. It gets the following information from the device and then uploads it to its server when it phones home.
- Device model
- Device language setting
- IMEI number
- IMSI number
- List of installed app together with the app name, package name, package version
Previous DroidDreamLight variants save the encrypted configuration using the file names prefer.dat and game.tol in the asset folder. The sample we analyzed uses the file name small.use and DES encryption with the same decryption/encryption key as before – “DDH#X%LT”.
Below is what the decrypted configuration file looks like:
However, during the time of our analysis, the servers could no longer be accessed.
The DroidDreamLight malware does not employ exploits, so it will need user intervention to install its downloaded components. To do this, we think that the malware tries trick the user into thinking that the app being downloaded or installed is an update for an installed app. Based on its code, the malware is capable of showing download/update notifications. That way, all it has to do is use the name of an application on the retrieved list of applications, and display the notification with a malicious link from the server.
Users can check if their phones are infected by going to Settings>Applications>Running Services.
Moreover, users can manually remove the malware from their system by going to Settings>Applications>Manage Applications to uninstall the infected app.
Trend Micro offers protection for users of Android mobile devices. Users may download Trend MicroT Mobile Security for AndroidT.
Users are likely to encounter other Android malware posing as legitimate apps due to the Android Market’s “open” nature. To learn more on how to secure your Android mobile devices, users may refer to our report 5 Simple Steps to Secure Your Android-Based Smartphones
Leave a reply