Massive Code Change for New DroidDreamLight Variant
We saw several key developments in the new variant of DroidDreamLight, which we were able to analyze earlier this month. This new variant, found in a China-based third-party app store, comes off as apps such as a battery-monitoring tool, a task-listing tool, and an app that lists the permissions used by installed apps. Please note though that the apps come in English so potential victims are not limited to users who understand Chinese.
For one, there were major changes in its code:
- SMS (inbox and outbox)
- Call logs (incoming and outgoing)
- Contact list
- Information related to Google accounts stored in the device
Stolen information is stored and compressed in the /data/data/%package name%/files directory then uploaded to a URL contained in a configuration file.
- Phone model
- Language settings
- Country
- IMEI number
- IMSI number
- SDK version
- Package name of the malicious app
- Information about installed apps
Once the URL receives the information, it will reply with an encrypted configuration file, which updates the existing configuration file. Below is a screenshot of its code:
Furthermore, this new variant has codes that can check if the infected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although no codes in the body that call these methods exist.
Users can check if their phones have been infected by going to Settings > Applications > Running Services and by looking for the service, CelebrateService.
For more information on Android threats, users can check out our Android threats infograph as well as our ebook, “5 Simple Steps to Secure Your Android-Based Smartphones.”
Post from: TrendLabs | Malware Blog – by Trend Micro
Massive Code Change for New DroidDreamLight Variant
Spotlight
Cloud Computing
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
- Desktop virtualization can enhance security performance
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
- Wall Street has data security concerns over Bloomberg reporting
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet