We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based 3rd party application store, comes off as applications such as a battery monitoring tool, task listing tool, and an application that lists the permissions used by installed applications. Please note though that the apps are in English, so potential victims are not limited to users who understand Chinese.
For one, there were major changes in its code:
Another important update is the addition of information theft routines. Based on our analysis, this new variant can steal certain information from the device, such as:
- SMS messages (inbox and outbox)
- Call log (incoming and outgoing)
- Contacts list
- Information related to Google accounts stored in the device
Stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to a URL contained in a configuration file.
Stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to another URL, that is also contained in a configuration file.
Just like with previous variants, it also connects to a URL in the configuration file and then uploads other information about the infected device:
- Phone model
- Language setting
- Country
- IMEI
- IMSI
- SDK version
- Package name of the malicious application
- Information about installed applications
Once the URL receives the information, it will reply with an encrypted configuration file, which updates the existing configuration file. Below is a screenshot of its code:
Also, based on its code, this malware has the ability to insert messages in the inbox of the affected device, with the sender and message body specified by the attacker, as well as the ability to send messages to numbers in the contacts list.
Furthermore, this new variant also has codes that can check if the affected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although there is currently no code in the body that calls these methods.
Users can check their phone if they are infected by going to Settings>Applications>Running Services and look for the service called “CelebrateService”
This Android malware is now detected as AndroidOS_DORDRAE.N.
For more information on Android threats, users check our Android threats infograph as well as our ebook “5 Simple Steps to Secure Your Android-Based Smartphones.”
Leave a reply