collapse
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: How DroidDream Malware Works  (Read 115 times)
Patwik
Guest
« on: March 03, 2011, 08:22:51 AM »
Quote
In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server.  The sensitive data includes:

    * IMEI
    * IMSI
    * Device Model
    * SDK Version

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it.

When DroidDream attempts to infect a device, it uses two known exploits, exploid and rageagainstthecage, to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread). If exploid fails to root the device, the malware will attempt to use rageagainstthecage. Once the phone is rooted, DroidDream is configured to searched for a specific package named com.android.providers.downloadsmanager. If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge.  If DroidDream does find the downloadsmanager package, it will not continue infecting the device with the second malicious application.

At Lookout, we are currently in the process of confirming what this second application is capable of, but our initial analysis shows that it appears to be able to send additional sensitive information to a remote server.  The second malicious application also appears that to have the capability to silently install other applications.

Lookout has identified instances of DroidDream apps residing in third-party markets.  Given that these apps will only complete their infection cycle on devices without the complete “Google Experience” software stack, we believe that DroidDream was designed to target devices in other markets (potentially China) that are more likely to be deployed without these applications.  It is likely that the apps were deployed to the official Android Market after the fact, though unclear whether the authors expected to succeed in fully infecting significant numbers of devices. We’ll be continuing to investigate this.

Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps. To stay safe, users should always pay careful attention when downloading apps and ensure they only download apps from developers they trust, look at the ratings and read the reviews.
http://blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/
Logged
pinoydroid.net
« on: March 03, 2011, 08:22:51 AM »
 Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

UA-19855449-1
Shout Box
Refresh History
  • enzoenzo: dapat na pala mag-ipon! sana naman babaan pa nila since yung optimus2x around 28k lang :p thanks for the heads up!
    May 09, 2011, 07:55:36 PM
  • 13thGhost: @enzo, mga 32K ata, aka Q3 ata dadating dito, excited na ako..
    May 08, 2011, 08:19:12 PM
  • enzoenzo: thanks! Smiley any word on how much and when the Galaxy S II will be released? Smiley
    May 08, 2011, 06:15:41 PM
  • Unwired: tbor, around 6 month mate, @enzo, welcome dude! Smiley
    May 03, 2011, 08:56:03 PM
  • enzoenzo: i accidentally found this site and I'm thankful i did! finally, a pinoy droid site that updates regularly, keep it up!! looking forward to future posts!! Smiley
    May 03, 2011, 02:32:53 AM
  • tbor1277: hello im new. this is a new site right?
    May 02, 2011, 04:39:48 AM
  • Unwired: My apologies if I deleted your account...kindly register again...
    April 18, 2011, 05:26:45 AM
  • Unwired: if  you can't log-in kindly re-register again....thanks!
    April 11, 2011, 05:58:16 AM
  • Unwired: stupid spammer! account deleted!
    April 08, 2011, 12:56:39 AM
  • watsonchad576: I just recently found z4 root for my phone since it was't in the shop. I really had a hard time finding it. but I finally got it and my ipod touch loads just fine it's my computer and wii that won't actually sign in. they read the wireless tether but won't log in now i'm stuck with this slow cricket usb modem. can someone help me?
    April 05, 2011, 03:06:30 AM
  • watsonchad576: I really dig all the aps for my android but for some reason It's hard to do any other thing besides you tube. does anyone have any advise for me. I downloaded zeeware and all the differant channels made me feel like a kid in the candy store and it was free. then it wasn't compatible what do I need to do to make my phone compatible?
    April 05, 2011, 03:04:01 AM
  • watsonchad576: I have a android hauwei I can't watch TV and I am getting frustraited my phone is not compatible with the flash player. What programs do I need to install to make my phone watchable
    April 05, 2011, 03:01:04 AM
  • Unwired: Is the World empty?
    March 27, 2011, 09:51:59 PM
  • Unwired: Hello world!
    March 02, 2011, 05:06:51 AM

Recent Forum Posts
Re: Rooting & Warranty by 13thGhost
[May 08, 2011, 08:18:36 PM]
Google Earth Works better now on Tablets by 13thGhost
[May 06, 2011, 03:00:09 AM]
Samsung Galaxy Ace by xrnel73
[May 06, 2011, 01:21:32 AM]
Facebook photos & video get batch uploads with Speedy Uploader by 13thGhost
[May 04, 2011, 01:27:57 AM]
How to Create a Gold Card by 13thGhost
[April 21, 2011, 09:15:16 PM]

Sponsors

Latest Blog Post