We recently received a sample of an Android malware known as DroidDreamLight currently circulating on the Web. Once executed on an infected device, this malware steals mobile-specific information that it then uses for malicious activities.
- Device model
- Language and country
- International Mobile Equipment Identity (IMEI) number
- International Mobile Subscriber Identity (IMSI) number
- Software development kit (SDK) version
- List of installed apps
The malware also connects to several URLs in order to “phone home” and upload the stolen data. It also comes with a config file named prefer.dat where it stores encrypted URLs. The said file is found in the Asset folder of the package.
It uses the string “DDH#X%LT” as decryption key. The config file looks like this when decrypted:
As of this writing, the said URLs are no longer accessible.
The malware’s execution is triggered when the android.intent.action.PHONE_STATE intent is received such as when a user receives a voice call. Once triggered, it initiates its own service called CoreService.
Users can check if their mobile phones have been infected by ANDROIDOS_DORDRAE.L by going to Settings > Applications > Running Services.
Users of infected devices can manually remove the malware by going to Settings > Applications > Manage Applications and by uninstalling this malicious app. For more information, you may refer to the Threat Encylopedia entry for ANDROIDOS_DORDRAE.L.
Trend Micro also offers protection for users of Android mobile devices via the Trend Micro™ Mobile Security for Android™.
Because of the Android Market’s “open” nature, users are likely to encounter several Android malware posing as legitimate apps. Cybercriminals can craft malicious apps and can easily upload these to the Android Market, making these available to ordinary users. To know more about mobile security, specifically to prevent downloading and installing fake Android apps, users may refer to our comprehensive report, “5 Simple Steps to Secure Your Android-Based Smartphones.”
Additional data provided by Kervin Alintanahin and Julius Dizon