Jul7	New Android Malware on the Road: GoldDream “Catcher” 4:27 am (UTC-7)   |    by Kervin Alintanahin (Threats Analyst)

Tweet

We recently discussed a new Trojanized Android app sample. Today, we will discuss yet another one. This new Android malware is known as GoldDream and is detected by Trend Micro as ANDROIDOS_SPYGOLD.A.

The particular app that was Trojanized in this attack was a racing game called “Fast Racing.” For a game, this Trojanized version needs a lot of permissions—more than is typical for something similar.

When the infected phone boots, the malware starts a service called Market, probably a trick that the malware writer crafted to make the user think it is harmless.

Like previously found Android malware, this monitors affected users’ incoming text messages. Once a message is received, it will record its contents and sender information then copies this to a .TXT file called zjsms.txt. Logs of incoming and outgoing calls are also kept and saved as zjphonecall.txt.

This malware is also capable of communicating with a remote command-and-control (C&C) server, which is currently located at http://{BLOCKED}r.gicp.net. Unlike previously detected Android malware, which used hard-coded server URLs, however, this connects to alternative servers if instructed by its current C&C server. It can also update itself, which may be an attempt to evade detection and removal.

Regardless of C&C server, it can “phone home” and send the device information like device ID, subscriber ID, and SIM serial number to http://{C&C server}/zj/RegistUid.aspx?. It can also upload files, including call and SMS logs to http://{C&C server}/zj/upload/UploadFiles.aspx, as well as receive commands from a server by accessing http://{C&C server}/zj/allotWorkTask.aspx. In addition to changing servers and downloading updates, it can receive the following commands:

• install\uninstall apps
• make a call
• send a text message

It appears that Android malware writers have added new features that used to be only common in the desktop environment to their mobile threats.

For more information on threats affecting Android devices, you may check our report, Fake Apps Affect ANDROID OS Users.

Update on July 7, 2011, 7:50 AM PST: The Android malware analyzed in this post is the same malware discussed in the post Security Alert: New Android Malware—GoldDream—Found in Alternative App Markets.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Share this article

This entry was posted on Thursday, July 7th, 2011 at 4:27 am and is filed under Malware, Mobile . Both comments and pings are currently closed.

17 Responses to “New Android Malware on the Road: GoldDream “Catcher””

1. Matt Shipman Says:
   July 7th, 2011 at 7:31 am

   I'm very disappointed that Kervin Alintanahin did not acknowledge the person who actually discovered the GoldDream malware, a professor at NC State named Xuxian Jiang. Nor did Kervin acknowledge that the discovery was first announced by the university — two days before this post: http://web.ncsu.edu/abstract/technology/wms-golddream/

   We don't expect much, but a simple acknowledgment would be appreciated.

   Yours,
   Matt S.

2. Kervin Alintanahin (Threats Analyst) Says:
   July 7th, 2011 at 8:00 am

   Hi, Matt, we're truly sorry about this. We added an acknowledgement at the bottom of the post.

3. Robert Corlin Says:
   July 7th, 2011 at 1:28 pm

   Please fix the dead pic objects.

4. Macky Cruz (Technical Communications) Says:
   July 7th, 2011 at 9:05 pm

   Hi, Matt,

   The reference was actually in Kervin's original submission but it got edited out during processing. My apologies for that.

   Hi, Robert,

   Thanks for the headsup.

5. Xuxian Jiang Says:
   July 8th, 2011 at 5:07 am

   Hi, Macky and Kervin:

   The way I read the current post does not look you are acknowledging my work.

   In fact, unless I'm too rush reading through it, it only says it uses the same sample in my original post. It does not mention at all who is the one behind the discovery (http://www.cs.ncsu.edu/faculty/jiang/GoldDream).

   Also, if your analysis is based on a sample that is requested from me, please acknowledge it as well. My intention is to notify AV companies in advance to extract malware signatures and improve the security products. It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)

   Thanks,
   –Xuxian

6. John Wayn Says:
   August 16th, 2011 at 2:13 pm

   Thank you for this, but is there any software for android that you recommend to get rid of malwares ?

7. Baboon Says:
   August 20th, 2011 at 8:46 am

   It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)

8. Android RPG Says:
   September 2nd, 2011 at 11:08 pm

   I just hope aVs will soon be as good as they are on PCs.
   Until then i guess we have to take care…

Trackbacks

1. TrendLabs (TrendLabs)
2. gN3mes1s (Giuseppe `N3mes1s`)
3. egeektronic (Teguh)
4. eohnik (eohnik)
5. Nisa_az (azmat nisa)
6. Android Spyware Can Switch C&C Servers
7. renu_minnie (Renu m)
8. Anonymous
9. Helyum Bilgilendiriyor | Bilişimin doğru adresi