Sophos Cloud Optix
The most recent malware attack on the Android Market is already well described in several good write-ups, but I wanted to analyse the samples we received in our collection.
The Droid Dream attack isn’t really unexpected, since the investment to become an Android developer and have the ability to publish applications on the Android Market is quite low.
I understand that it is in Google’s interest to have as many Android developers as possible, but a $25 entry fee to publish your application can encourage malware writers and spammers to create new developers account every day.
Now that there are many legitimate developers, the entry barrier could definitely be made a bit higher, as it would make the creation of fake developer accounts more expensive.
This would prevent the attack pattern from becoming a daily event:
- Malware writer registers as one or more developers
- Malicious or trojanized application package is uploaded to the Android market, with potentially obfuscated functionality
- Thousands of users download the published Trojans
- One of the users or a researcher realizes that there is something suspicious in applications published by the suspiciously randomly-named developer
- A report is sent to Google Android Security
- Google removes the offending applications from the market and from all the devices
And don’t forget – a successful attack may be able to obtain sufficient privileges to prevent Google from removing the malicious applications from the infected devices using its Cloud to device messaging framework.
Let us now look at the trojanized applications, which have been published by three developers – we20090202, Myournet and Kingmall2010. All the applications, of which there are dozens, seem to have been repackaged by the alleged developers to include additional unexpected components.
One of the samples we received, for instance, is a game called “Bowling Time” which I installed into the standard Android emulator.
The Android manifest file for all the applications has the same two malicious added Android services, com.android.root.Setting and com.android.root.AlarmReceiver launched in separate processes.
The Setting service decrypts a byte buffer, using a simple XOR byte encryption with a key predefined in the class adbRoot. The decrypted byte buffer contains the IP address and the URL of the server which is used to post data about the infected phone in an XML format using an HTTP POST request.
The uploaded data contains the phone’s IMEI, IMSI, version of the SDK and the device model. The malware writer writing the XML request has misspelled the word “model” and used “modle” instead, which may be suitable for detection using network intrusion detection systems.
In addition to the malicious services added to the trojanized packages, there is also a set of files added to the the package assets. The assets include 3 native ARM applications, two of them are privilege escalation exploits – rageagainstcage and exploid – and an application which allows to run shell commands as a superuser.
Both privilege escalation exploits, for the Linux kernel udev vulnerability, and an adb privilege escalation attack are relatively old but work with the Android versions used by most of the Android phones. A very good description of both exploits was published in September 2010 by Intrepidus Group.
Reports suggest that only Gingerbread (Android 2.3) is not vulnerable which makes 99% of the Android phones potentially affected.
If the exploit was successful, the Trojan attempts to install an additional package included in the malware assets as sqlite.db. The package contains code to submit more information about the infected device and download additional content.
With this and few other Android malware samples discovered recently it seems that the rate of new Android malware is increasing. The openess of the platform and the availability of alternative application markets makes Android-based devices more difficult to secure. The whole situation reminds me of Windows some years ago. One keeps wondering if history is repeating again?
Sophos products are detecting all known samples of this Android malware as Troj/DroidD-A.
Really nice write-up. Suspect you’re right about Android being the platform of choice for virus writers in future.
I have been careful not to download apps onto my Droid 2. Is there a list anywhere of affected apps??
@ Kathleen: the Droid Dream link in the article takes you to a story on the Lookout Blog that has a list of apps.
One question, because even four more articles I read about these trojans didn´t mention it:
what were the permissions these apps wanted before installation?
As an attentive user I would be suspicious, if a simple bowling app wants more permissions than internet access for ads.
Just noticed the register posted an article that Google has remotely pulled the Malware from infected phones. Interesting stuff.
Wouldn't antivirus software block installation of these apps?
You moron, as long as there is big money coming in from organized crime in other countries, charging any sort of fee for developing on any sort of platform is going to have absolutely ZERO effect on keeping mal-ware developers out of said platform.
The ONLY effect that would have is to discourage freeware developers from learning to use an open platform, and there by gain experience to eventually develop world class applications.
I'm only two paragraphs in to your article, and I already feel like slapping you. Just exactly who gave you a pretty new badge that says 'Security Expect' on it?? Maybe I should slap them as well.
As an open platform, Android already has ALL of the tools they need to expose the vulnerabilities of the system, and patch them up rock solid. Discouraging people from developing in Android? Well.. there's one sure way to kill it off.
Genius.