We were recently able to analyze the routines of the latest DroidKungFu variant, detected as ANDROIDOS_KUNGFU.CI. While we were monitoring the traffic between ANDROIDOS_KUNGFU.CI and its remote server, we chanced upon a command to delete a certain package.

In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.

I did some research on the package, and found that the deleted package is a new DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new component, or update itself.

Read the rest of this entry »

We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based third-party app store, comes off as apps such as a battery-monitoring tool, a task-listing tool, and an app that lists the permissions used by installed apps. Please note though that the apps come in English so potential victims are not limited to users who understand Chinese.

For one, there were major changes in its code:

Another important update is the addition of information theft routines. Based on our analysis, this new variant can steal certain information from the device such as:

• SMS (inbox and outbox)
• Call logs (incoming and outgoing)
• Contact list
• Information related to Google accounts stored in the device

Read the rest of this entry »

We recently found a new variant of DroidDreamLight in the Android Market. The app promotes itself as an app that helps users manage the .APK files on their device. The sample was downloaded 50–100 times before it was removed from the Android Market.

The malware sample we found, which we now detect as ANDROIDOS_DORDRAE.M, was inside an app called App Installer. Once executed, the main class of the app starts the malware service called AppUseService.

The malware service still runs even if the app is not being executed. It starts when an Intent called android.intent.action.PHONE_STATE is triggered, which happens every time the device makes or receives a call. It gets the following information from the device then uploads it to its server when it phones home.

• Device model
• Device language setting
• Country
• IMEI number
• IMSI number
• List of installed apps together with their names, package names, and package versions

Previous DroidDreamLight variants save the encrypted configuration using the file names prefer.dat and game.tol in the Asset folder. The sample we analyzed uses the file name small.use and DES encryption with the same decryption/encryption key as before—DDH#X%LT.

Below is what the decrypted configuration file looks like:

However, during the time of our analysis, the servers could no longer be accessed.

Read the rest of this entry »

Last week, we reported on ANDROIDOS_NICKISPY.A and ANDROIDOS_NICKISPY.B, Android malware that recorded phone calls made from infected devices then sent stolen information to a remote site.

This week, we saw another Android malware with the same code structure as ANDROIDOS_NICKISPY.A. Like the latter, this does not display an icon and executes similar routines, save for some modifications.

Detected by Trend Micro products as ANDROIDOS_NICKISPY.C, it uses the following services:

• MainService
• AlarmService
• SocketService
• GpsService
• CallRecordService
• CallLogService
• UploadService
• SmsService
• ContactService
• SmsControllerService
• CommandExecutorService
• RegisterService
• CallsListenerService
• KeyguardLockService
• ScreenService
• ManualLocalService
• SyncContactService
• LocationService
• EnvRecordService

This malware comes in the guise of Google+, Google’s most recent foray into the social networking scene, in an attempt to hide from affected users. All the above-mentioned services use the Google+ icon. The app itself is installed using the name, Google++.

Read the rest of this entry »

Android malware that monitor messages from specific numbers sent to infected devices have been frequently seen in the past. These typically intercept messages from premium numbers in order to prevent affected users from suspecting device infection. The Android malware we recently saw, however, took a different approach, as it monitored certain keywords contained in text messages received via infected devices instead.

The said malware is a Trojanized version of a game called Coin Pirates, which, according to our research, was hosted in a Chinese app market. The Trojanized version has been pulled out of the market when we last checked.

Like most Android malware, this Trojanized application, which we detect as ANDROIDOS_PIRATES.A, asks users to give more permissions than the legitimate version and thus, performs more routines than the original app.

Read the rest of this entry »