x
advertisement
Filtered By: Scitech
SciTech

'Phone-home' malware hits Android phones


Apple may now find company in its misery as a target of recently developed malware. Google is now a target as well, after a version of a malware targeting smartphones running its Android operating system is now making the rounds. "We recently received a sample of an Android malware known as DroidDreamLight currently circulating on the Web. Once executed on an infected device, this malware steals mobile-specific information that it then uses for malicious activities," security firm Trend Micro said in a blog post. Trend Micro said DroidDreamLight, which its software detects as ANDROIDOS_DORDRAE.L, gathers specific information from an infected mobile phone, including:

  • Device model
  • Language and country
  • International Mobile Equipment Identity (IMEI) number
  • International Mobile Subscriber Identity (IMSI) number
  • Software development kit (SDK) version
  • List of installed apps
The malware also "phones home" to several URLs to upload the data it steals. It also comes with a config file named prefer.dat where it stores encrypted URLs. The file is found in the Asset folder of the package. As of June 1, Trend Micro said the URLs in the file are no longer accessible. Trend Micro said the malware’s execution is triggered when the android.intent.action.PHONE_STATE intent is received such as when a user receives a voice call. "Once triggered, it initiates its own service called CoreService," it said. Users can check if their mobile phones have been infected by ANDROIDOS_DORDRAE.L by going to Settings, Applications, and Running Services. If their devices are infected, users can manually remove the malware by going to Settings > Applications > Manage Applications and by uninstalling this malicious app. Meanwhile, Trend Micro warned users to be careful browsing the Android Market for apps, as its “open" nature may let users encounter malware posing as legitimate apps. "Cybercriminals can craft malicious apps and can easily upload these to the Android Market, making these available to ordinary users," it said. p to 120k users affected? Mobile security firm Lookout said the malware may have possibly affected "30,000 to 120,000 users." It added the new malware been from the same developers of the DroidDream malware, which similarly yanked data from infected smartphones last March and was eventually killed by Google's "kill switch." "The Lookout Security Team identified the malware thanks to a tip from a developer who notified us that modified versions of his app and another developer’s app were being distributed in the Android Market. Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples. We discovered 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developer accounts," it said in a blog post. Lookout also warned users who may have downloaded the following applications that they may be affected by DroidDreamLight: The list of infected applications (by developer name) includes:
  • Magic Photo Studio Sexy Girls: Hot Japanese Sexy Legs HOT Girls 4 Beauty Breasts Sex Sound Sex Sound: Japanese HOT Girls 1 HOT Girls 2 HOT Girls 3
  • Mango Studio Floating Image Free System Monitor Super StopWatch and Timer System Info Manager
  • E.T. Tean Call End Vibrate
  • BeeGoo Quick Photo Grid Delete Contacts Quick Uninstaller Contact Master Brightness Settings Volume Manager Super Photo Enhance Super Color Flashlight Paint Master
  • DroidPlus Quick Cleaner Super App Manager Quick SMS Backup
  • GluMobi Tetris Bubble Buster Free Quick History Eraser Super Compass and Leveler Go FallDown ! Solitaire Free Scientific Calculator TenDrip
No need for manual launch What makes DreamDroidLight potentially more dangerous than its predecessor is that its malicious components are invoked on receipt of a android.intent.action.PHONE_STATE intent (such as an incoming voice call). "DroidDream Light is not, therefore, dependent on manual launch of the installed application to trigger its behavior. The broadcast receiver immediately launches the .lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages," Lookout said. Lookout also said it appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention. — TJD, GMA News
Tags: google, googleandroid, android, apple, appleios
Most Popular