"DroidLive" New SMS Android Trojan Being Disguised as a Google Library
A research team at NC State University in collaboration with NetQin, have uncovered a new SMS Android Trojan named as "DroidLive" in third-party Android markets. They detected this malware on Nov 5 and published about the trojan on Nov 11.
The Trojan attempts to disguise itself as a Google library, but actually receives commands from a remote Command and Control (C&C) server, which allow it to engage in sending text messages to premium numbers, making phone calls, collecting personal information, and other nefarious activities.
Also, one unusual behavior of this malware is its attempt of installing itself as a device administration app. Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device's firmware. To the best of our knowledge, this is the first malware that takes advantage of the device administration API.
DroidLive is structured as a constellation of services and receivers that communicate using Android's standard inter-app communication layer (i.e., Binder). These relationships are shown in the following diagram:
1. DroidLive's heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.
2.Once the malware has been initially invoked, it uses message queues and Android's alarm functionality to periodically wake up and contact its C&C server (http://xxxxxxxxxxxx/androidService/services/AndroidService). As part of this process, DroidLive sends a large amount of information to the server, including the device's unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.
3.DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device's firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.
Security Researcher recommends to follow the instruction to stay secure from these type of malware:
The Trojan attempts to disguise itself as a Google library, but actually receives commands from a remote Command and Control (C&C) server, which allow it to engage in sending text messages to premium numbers, making phone calls, collecting personal information, and other nefarious activities.
Also, one unusual behavior of this malware is its attempt of installing itself as a device administration app. Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device's firmware. To the best of our knowledge, this is the first malware that takes advantage of the device administration API.
How It Works
DroidLive is structured as a constellation of services and receivers that communicate using Android's standard inter-app communication layer (i.e., Binder). These relationships are shown in the following diagram:
1. DroidLive's heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.
2.Once the malware has been initially invoked, it uses message queues and Android's alarm functionality to periodically wake up and contact its C&C server (http://xxxxxxxxxxxx/androidService/services/AndroidService). As part of this process, DroidLive sends a large amount of information to the server, including the device's unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.
3.DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device's firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.
Security Researcher recommends to follow the instruction to stay secure from these type of malware:
- Download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- Check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- Be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.