We recently found a new variant of DroidDreamLight in the Android Market. The app promotes itself as an app that helps users manage the .APK files on their device. The sample was downloaded 50–100 times before it was removed from the Android Market.
The malware sample we found, which we now detect as ANDROIDOS_DORDRAE.M, was inside an app called App Installer. Once executed, the main class of the app starts the malware service called AppUseService.
The malware service still runs even if the app is not being executed. It starts when an Intent called android.intent.action.PHONE_STATE is triggered, which happens every time the device makes or receives a call. It gets the following information from the device then uploads it to its server when it phones home.
- Device model
- Device language setting
- IMEI number
- IMSI number
- List of installed apps together with their names, package names, and package versions
Previous DroidDreamLight variants save the encrypted configuration using the file names prefer.dat and game.tol in the Asset folder. The sample we analyzed uses the file name small.use and DES encryption with the same decryption/encryption key as before—DDH#X%LT.
Below is what the decrypted configuration file looks like:
However, during the time of our analysis, the servers could no longer be accessed.
The DroidDreamLight malware does not employ exploits so it will need user intervention to install its downloaded components. To do this, we think that the malware tries to trick the user into thinking that the app being downloaded or installed is an update for an installed app. Based on its code, the malware is capable of showing download/update notifications. That way, all it has to do is use the name of an app from the list retrieved and to display the notification with a malicious link from the server.
Users can check if their phones are infected by going to Settings > Applications > Running Services.
Moreover, users can manually remove the malware from their devices by going to Settings > Applications > Manage Applications to uninstall the infected app.
Trend Micro offers protection for users of Android mobile devices. Users may download Trend Micro™ Mobile Security for Android™.
Users are likely to encounter other Android malware posing as legitimate apps due to the Android Market’s “open” nature. To learn how to secure your Android mobile devices, users may refer to our e-book, “5 Simple Steps to Secure Your Android-Based Smartphones.”