Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    We recently discussed a new Trojanized Android app sample. Today, we will discuss yet another one. This new Android malware is known as GoldDream and is detected by Trend Micro as ANDROIDOS_SPYGOLD.A.

    The particular app that was Trojanized in this attack was a racing game called “Fast Racing.” For a game, this Trojanized version needs a lot of permissions—more than is typical for something similar.

    When the infected phone boots, the malware starts a service called Market, probably a trick that the malware writer crafted to make the user think it is harmless.

    Like previously found Android malware, this monitors affected users’ incoming text messages. Once a message is received, it will record its contents and sender information then copies this to a .TXT file called zjsms.txt. Logs of incoming and outgoing calls are also kept and saved as zjphonecall.txt.

    This malware is also capable of communicating with a remote command-and-control (C&C) server, which is currently located at http://{BLOCKED}r.gicp.net. Unlike previously detected Android malware, which used hard-coded server URLs, however, this connects to alternative servers if instructed by its current C&C server. It can also update itself, which may be an attempt to evade detection and removal.

    Regardless of C&C server, it can “phone home” and send the device information like device ID, subscriber ID, and SIM serial number to http://{C&C server}/zj/RegistUid.aspx?. It can also upload files, including call and SMS logs to http://{C&C server}/zj/upload/UploadFiles.aspx, as well as receive commands from a server by accessing http://{C&C server}/zj/allotWorkTask.aspx. In addition to changing servers and downloading updates, it can receive the following commands:

    • installuninstall apps
    • make a call
    • send a text message

    It appears that Android malware writers have added new features that used to be only common in the desktop environment to their mobile threats.

    For more information on threats affecting Android devices, you may check our report, Fake Apps Affect ANDROID OS Users.

    Update on July 7, 2011, 7:50 AM PST: The Android malware analyzed in this post is the same malware discussed in the post Security Alert: New Android Malware—GoldDream—Found in Alternative App Markets.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://androidrpg.org Android RPG

      I just hope aVs will soon be as good as they are on PCs.
      Until then i guess we have to take care…

    • http://www.baboonarcade.com Baboon

      It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)

    • http://freegameslodge.com John Wayn

      Thank you for this, but is there any software for android that you recommend to get rid of malwares ?

    • Pingback: Helyum Bilgilendiriyor | Bilişimin doğru adresi

    • Pingback: Anonymous

    • Xuxian Jiang

      Hi, Macky and Kervin:

      The way I read the current post does not look you are acknowledging my work.

      In fact, unless I'm too rush reading through it, it only says it uses the same sample in my original post. It does not mention at all who is the one behind the discovery (http://www.cs.ncsu.edu/faculty/jiang/GoldDream).

      Also, if your analysis is based on a sample that is requested from me, please acknowledge it as well. My intention is to notify AV companies in advance to extract malware signatures and improve the security products. It is certainly not intended to have someone to present the discovery without even mentioning the original source. (In fact, there are several media articles who already mis-credit the finding to your company, including the ones in GMA news and yahoo news. An earlier report from The Inquirer has already been corrected.)

      Thanks,
      –Xuxian

    • Pingback: Android Spyware Can Switch C&C Servers

    • Macky Cruz (Technical Communications)

      Hi, Matt,

      The reference was actually in Kervin's original submission but it got edited out during processing. My apologies for that.

      Hi, Robert,

      Thanks for the headsup.

    • http://www.robertcorlin.com Robert Corlin

      Please fix the dead pic objects.

    • http://web.ncsu.edu/abstract/ Matt Shipman

      I'm very disappointed that Kervin Alintanahin did not acknowledge the person who actually discovered the GoldDream malware, a professor at NC State named Xuxian Jiang. Nor did Kervin acknowledge that the discovery was first announced by the university — two days before this post: http://web.ncsu.edu/abstract/technology/wms-golddream/

      We don't expect much, but a simple acknowledgment would be appreciated.

      Yours,
      Matt S.

      • Kervin Alintanahin (Threats Analyst)

        Hi, Matt, we're truly sorry about this. We added an acknowledgement at the bottom of the post.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice