New Android Malware on the Road: GoldDream "Catcher"

May 2013
S	M	T	W	T	F	S
« Apr
	1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Jul7	New Android Malware on the Road: GoldDream “Catcher” 4:27 am (UTC-7) \| by Kervin Alintanahin (Threats Analyst)

We recently discussed a new Trojanized Android app sample. Today, we will discuss yet another one. This new Android malware is known as GoldDream and is detected by Trend Micro as ANDROIDOS_SPYGOLD.A.

The particular app that was Trojanized in this attack was a racing game called “Fast Racing.” For a game, this Trojanized version needs a lot of permissions—more than is typical for something similar.

When the infected phone boots, the malware starts a service called Market, probably a trick that the malware writer crafted to make the user think it is harmless.

Like previously found Android malware, this monitors affected users’ incoming text messages. Once a message is received, it will record its contents and sender information then copies this to a .TXT file called zjsms.txt. Logs of incoming and outgoing calls are also kept and saved as zjphonecall.txt.

This malware is also capable of communicating with a remote command-and-control (C&C) server, which is currently located at http://{BLOCKED}r.gicp.net. Unlike previously detected Android malware, which used hard-coded server URLs, however, this connects to alternative servers if instructed by its current C&C server. It can also update itself, which may be an attempt to evade detection and removal.

Regardless of C&C server, it can “phone home” and send the device information like device ID, subscriber ID, and SIM serial number to http://{C&C server}/zj/RegistUid.aspx?. It can also upload files, including call and SMS logs to http://{C&C server}/zj/upload/UploadFiles.aspx, as well as receive commands from a server by accessing http://{C&C server}/zj/allotWorkTask.aspx. In addition to changing servers and downloading updates, it can receive the following commands:

installuninstall apps
make a call
send a text message

It appears that Android malware writers have added new features that used to be only common in the desktop environment to their mobile threats.

For more information on threats affecting Android devices, you may check our report, Fake Apps Affect ANDROID OS Users.

Update on July 7, 2011, 7:50 AM PST: The Android malware analyzed in this post is the same malware discussed in the post Security Alert: New Android Malware—GoldDream—Found in Alternative App Markets.

Share this article

This entry was posted on Thursday, July 7th, 2011 at 4:27 am and is filed under Malware, Mobile . Both comments and pings are currently closed.

http://androidrpg.org Android RPG

I just hope aVs will soon be as good as they are on PCs.
Until then i guess we have to take care…
http://www.baboonarcade.com Baboon

It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)
http://freegameslodge.com John Wayn

Thank you for this, but is there any software for android that you recommend to get rid of malwares ?
Pingback: Helyum Bilgilendiriyor | Bilişimin doğru adresi
Pingback: Anonymous
Xuxian Jiang

Hi, Macky and Kervin:

The way I read the current post does not look you are acknowledging my work.

In fact, unless I'm too rush reading through it, it only says it uses the same sample in my original post. It does not mention at all who is the one behind the discovery (http://www.cs.ncsu.edu/faculty/jiang/GoldDream).

Also, if your analysis is based on a sample that is requested from me, please acknowledge it as well. My intention is to notify AV companies in advance to extract malware signatures and improve the security products. It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)

Thanks,
–Xuxian
Pingback: Android Spyware Can Switch C&C Servers
Macky Cruz (Technical Communications)

Hi, Matt,

The reference was actually in Kervin's original submission but it got edited out during processing. My apologies for that.

Hi, Robert,

Thanks for the headsup.
http://www.robertcorlin.com Robert Corlin

Please fix the dead pic objects.
http://web.ncsu.edu/abstract/ Matt Shipman

I'm very disappointed that Kervin Alintanahin did not acknowledge the person who actually discovered the GoldDream malware, a professor at NC State named Xuxian Jiang. Nor did Kervin acknowledge that the discovery was first announced by the university — two days before this post: http://web.ncsu.edu/abstract/technology/wms-golddream/

We don't expect much, but a simple acknowledgment would be appreciated.

Yours,
Matt S.
- Kervin Alintanahin (Threats Analyst)
  
  Hi, Matt, we're truly sorry about this. We added an acknowledgement at the bottom of the post.

TrendLabs Malware Blog

Trend Micro

Targeted Attacks

Mobile

Recent Posts

Calendar