Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We recently received a sample of an Android malware known as DroidDreamLight currently circulating on the Web. Once executed on an infected device, this malware steals mobile-specific information that it then uses for malicious activities.

    Similar to previous information-stealing Android malware, DroidDreamLight, detected by Trend Micro as ANDROIDOS_DORDRAE.L gathers the following specific information from an infected mobile phone:

    • Device model
    • Language and country
    • International Mobile Equipment Identity (IMEI) number
    • International Mobile Subscriber Identity (IMSI) number
    • Software development kit (SDK) version
    • List of installed apps

    The malware also connects to several URLs in order to “phone home” and upload the stolen data. It also comes with a config file named prefer.dat where it stores encrypted URLs. The said file is found in the Asset folder of the package.


    It uses the stringDDH#X%LT” as decryption key. The config file looks like this when decrypted:


    As of this writing, the said URLs are no longer accessible.

    The malware’s execution is triggered when the android.intent.action.PHONE_STATE intent is received such as when a user receives a voice call. Once triggered, it initiates its own service called CoreService.

    Users can check if their mobile phones have been infected by ANDROIDOS_DORDRAE.L by going to Settings > Applications > Running Services.


    Users of infected devices can manually remove the malware by going to Settings > Applications > Manage Applications and by uninstalling this malicious app. For more information, you may refer to the Threat Encylopedia entry for ANDROIDOS_DORDRAE.L.

    Trend Micro also offers protection for users of Android mobile devices via the Trend Micro™ Mobile Security for Android™.

    Because of the Android Market’s “open” nature, users are likely to encounter several Android malware posing as legitimate apps. Cybercriminals can craft malicious apps and can easily upload these to the Android Market, making these available to ordinary users. To know more about mobile security, specifically to prevent downloading and installing fake Android apps, users may refer to our comprehensive report, “5 Simple Steps to Secure Your Android-Based Smartphones.”

    Additional data provided by Kervin Alintanahin and Julius Dizon

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice