We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based third-party app store, comes off as apps such as a battery-monitoring tool, a task-listing tool, and an app that lists the permissions used by installed apps. Please note though that the apps come in English so potential victims are not limited to users who understand Chinese.
For one, there were major changes in its code:
Another important update is the addition of information theft routines. Based on our analysis, this new variant can steal certain information from the device such as:
- SMS (inbox and outbox)
- Call logs (incoming and outgoing)
- Contact list
- Information related to Google accounts stored in the device
Stolen information is stored and compressed in the /data/data/%package name%/files directory then uploaded to a URL contained in a configuration file.
Just like previous variants, it also accesses a URL in the configuration file then uploads other information about the infected device, including:
- Phone model
- Language settings
- IMEI number
- IMSI number
- SDK version
- Package name of the malicious app
- Information about installed apps
Once the URL receives the information, it will reply with an encrypted configuration file, which updates the existing configuration file. Below is a screenshot of its code:
Also, based on its code, this malware has the ability to insert messages in the inbox of the infected device, with the sender and message body specified by the attacker, as well as the ability to send messages to numbers in users’ contact lists.
Furthermore, this new variant has codes that can check if the infected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although no codes in the body that call these methods exist.
Users can check if their phones have been infected by going to Settings > Applications > Running Services and by looking for the service, CelebrateService.
This Android malware is now detected as ANDROIDOS_DORDRAE.N.
For more information on Android threats, users can check out our Android threats infograph as well as our ebook, “5 Simple Steps to Secure Your Android-Based Smartphones.”