Aftermath of the Droid Dream Android Market malware attack

rocketThe most recent malware attack on the Android Market is already well described in several good write-ups, but I wanted to analyse the samples we received in our collection.

The Droid Dream attack isn’t really unexpected, since the investment to become an Android developer and have the ability to publish applications on the Android Market is quite low.

I understand that it is in Google’s interest to have as many Android developers as possible, but a $25 entry fee to publish your application can encourage malware writers and spammers to create new developers account every day.

Now that there are many legitimate developers, the entry barrier could definitely be made a bit higher, as it would make the creation of fake developer accounts more expensive.

This would prevent the attack pattern from becoming a daily event:

  1. Malware writer registers as one or more developers
  2. Malicious or trojanized application package is uploaded to the Android market, with potentially obfuscated functionality
  3. Thousands of users download the published Trojans
  4. One of the users or a researcher realizes that there is something suspicious in applications published by the suspiciously randomly-named developer
  5. A report is sent to Google Android Security
  6. Google removes the offending applications from the market and from all the devices

And don’t forget – a successful attack may be able to obtain sufficient privileges to prevent Google from removing the malicious applications from the infected devices using its Cloud to device messaging framework.

Let us now look at the trojanized applications, which have been published by three developers – we20090202, Myournet and Kingmall2010. All the applications, of which there are dozens, seem to have been repackaged by the alleged developers to include additional unexpected components.

One of the samples we received, for instance, is a game called “Bowling Time” which I installed into the standard Android emulator.

Bowling Trojanized application

The Android manifest file for all the applications has the same two malicious added Android services, and launched in separate processes.

The Setting service decrypts a byte buffer, using a simple XOR byte encryption with a key predefined in the class adbRoot. The decrypted byte buffer contains the IP address and the URL of the server which is used to post data about the infected phone in an XML format using an HTTP POST request.

The uploaded data contains the phone’s IMEI, IMSI, version of the SDK and the device model. The malware writer writing the XML request has misspelled the word “model” and used “modle” instead, which may be suitable for detection using network intrusion detection systems.

In addition to the malicious services added to the trojanized packages, there is also a set of files added to the the package assets. The assets include 3 native ARM applications, two of them are privilege escalation exploits – rageagainstcage and exploid – and an application which allows to run shell commands as a superuser.

Both privilege escalation exploits, for the Linux kernel udev vulnerability, and an adb privilege escalation attack are relatively old but work with the Android versions used by most of the Android phones. A very good description of both exploits was published in September 2010 by Intrepidus Group.

Reports suggest that only Gingerbread (Android 2.3) is not vulnerable which makes 99% of the Android phones potentially affected.

If the exploit was successful, the Trojan attempts to install an additional package included in the malware assets as sqlite.db. The package contains code to submit more information about the infected device and download additional content.

With this and few other Android malware samples discovered recently it seems that the rate of new Android malware is increasing. The openess of the platform and the availability of alternative application markets makes Android-based devices more difficult to secure. The whole situation reminds me of Windows some years ago. One keeps wondering if history is repeating again?

Sophos products are detecting all known samples of this Android malware as Troj/DroidD-A.