The Latest in IT Security

Massive Code Change for New DroidDreamLight Variant

16
Sep
2011

We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based 3rd party application store, comes off as applications such as a battery monitoring tool, task listing tool, and an application that lists the permissions used by installed applications. Please note though that the apps are in English, so potential victims are not limited to users who understand Chinese.

For one, there were major changes in its code:

Another important update is the addition of information theft routines. Based on our analysis, this new variant can steal certain information from the device, such as:

  • SMS messages (inbox and outbox)
  • Call log (incoming and outgoing)
  • Contacts list
  • Information related to Google accounts stored in the device

Stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to a URL contained in a configuration file.

Stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to another URL, that is also contained in a configuration file.

Just like with previous variants, it also connects to a URL in the configuration file and then uploads other information about the infected device:

  • Phone model
  • Language setting
  • Country
  • IMEI
  • IMSI
  • SDK version
  • Package name of the malicious application
  • Information about installed applications

Once the URL receives the information, it will reply with an encrypted configuration file, which updates the existing configuration file. Below is a screenshot of its code:

Also, based on its code, this malware has the ability to insert messages in the inbox of the affected device, with the sender and message body specified by the attacker, as well as the ability to send messages to numbers in the contacts list.

Furthermore, this new variant also has codes that can check if the affected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although there is currently no code in the body that calls these methods.

Users can check their phone if they are infected by going to Settings>Applications>Running Services and look for the service called “CelebrateService”

This Android malware is now detected as AndroidOS_DORDRAE.N.

For more information on Android threats, users check our Android threats infograph as well as our ebook “5 Simple Steps to Secure Your Android-Based Smartphones.”

Leave a reply


Categories

SATURDAY, DECEMBER 07, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments