Do Androids Dream-

idleheadedceleryMobile - Wireless

Dec 10, 2013 (3 years and 7 months ago)

77 views

Do Androids Dream
-

DroidDream

Malware

報告人:劉旭哲

Introduction


More than 50 applications have been found to
be infected with a new type of Android
malware called
DroidDream
.


Lompolo

discovered
the first instances of this
malware.


He analyzed
two suspicious applications and
found that they contain exploit code that can
break out of Android’s application security
sandbox
.

Falling Down

蜘蛛侠

䙩Fge爠R慣a

Super Guitar Solo

Bowling Time

Piano

Super History Eraser

Advanced Barcode Scanner

Bubble Shoot

Photo Editor

Supre

Bluetooth Transfer

Advanced Sound Manager

Super Ringtone Maker

Task Killer Pro

Magic Hypnotic Spiral

Super Sex Positions

Music Box

Funny Face

Hot Sexy Videos

Sexy Girls: Japanese

Color Blindness Test

Chess

Sexy Legs

Tie a Tie

下坠滚球
_
F慬a摯睮

䅤A慮捥a⁆楬攠䵡湡来M

兵楣欠乯N敳

Hilt潮o卥砠卯畮d

䵡杩M 却S潢o⁌楧 t

䉡獫e瑢慬t⁓ 潴⁎ow

Screaming Sexy Japanese Girls

致命绝色美腿

Quick Delete Contacts

Falling Ball Dodge

墨水坦克
P慮a敲⁐慮楣

佭潫

䙩F攠楮e愠aow

卣S敮瑩晩f 䍡汣畬ut潲

裸奔先生
䵲⸠創湮敲

卵S敲e卥硹x剩湧t潮os

䑩c攠R潬l敲

软件强力卸载

大家来找茬

躲避弹球

䅤A慮捥a備 瀠p漠卄

桌上曲棍球

䅤A慮捥a⁃畲 敮c礠䍯Cv敲e敲

卵S敲e却潰watc栠☠呩浥

投篮高手

䅰A⁕湩湳t慬a敲

䅤A慮捥a⁃潭 慳猠䱥v敬敲

多彩绘画

几何战机
_
Pe睐ew

䉥s琠灡psw潲搠dafe

印楤敲S䵡M

䙵Fn礠P慩at

掷骰子

Introduction


A blogger at Android Police took a closer look
at the malicious
applications

1.
can root a user’s
device

2.
send sensitive information (IMEI and IMSI)
to
a
remote server
.

3.
another APK hidden inside the
code


駭客將惡意程式重新包裝成合法軟體,並
放在
App Market
上。

How it works?


The
malware
can’t
start
automatically


requires
the user to manually run the infected
application


The
malware has modified the
AndroidManifest.xml

to launch itself prior to
the primary app’s activity.


The First Payload


com.android.root.Setting

will notify the
C&C
server and attempt to root the device.


First
the malware will contact C&C

server
identifying
the compromised device
.


定義
Malware

The First Payload


pref_config_setting

-
> done



Use to
check into the server.


If
( request == response )


done =1



the
malware will not check
-
in, resulting in the
application only performing one check
-
in.

The First Payload


com.android.root.adbRoot.crypto


a simple XOR with an embedded
key


decrypt the
C&C server’s URL


in
the byte array
u in the
com.android.root.Setting

class
.


184.105.245.17:8080/
GMServer
/
GMServlet


This is the first step in the first payload


Connect and login to C&C server

The First Payload


The second step
: Attempts to Root
Device


check
for the presence of /
system/bin/profile


If
exist
,
not re
-
infect,
otherwise
continue
the
infection process
.


Two method to exploit



exploid


r
ageagainstthecage


The First Payload


After
completed,the

malware checks to see if
the package
com.android.providers.downloadsmanager

is
installed.


If
not
found


it
will install the second payload, which is bundled
as
sqlite.db
.


This
part
will
be copied to the
/system/app/

directory, installing itself as
DownloadProviderManager.apk


After the above steps have completed,
the
first payload
is done
.


I
t
only implements this one mode of infection
then waits for the second payload it installed,
to
do the rest of the work.

The
Second
Payload


DownloadProviderManager.apk


no
icon


can’t
be found by other user
-
managed
applications
since
it is installed on the
/system

partition
.


not executed by the user, but triggered by Intents
it listens for on the device.

The Second Payload


in
AndroidManifest.xml


DownloadCompleteReceicer



DownloadManageService

The Second Payload


DownloadCompleteReceiver.onReceive


{


If ( SQLite
database in
processes for sync)


determine


Else


g
et
date

and
NextConnectTime
;


If (
date



NextConnectTime

>=5 )


Call
Download_Completed

to update


}

駭客
將他要用的
SQLite
,安裝成
DownloadProviderManager
,所以原本的
SQLite
關掉

聯繫
C&C server

The Second Payload


DownloadManageService


1.
timer
-
scheduled

task


com.android.providers.downloadsmanager.d


run for two hours at a
time


with a delay of two minutes between executions

2.
initializes
the SQLite tables

3.
manages
the download handler


This
is evident in the
onCreate
()
method of
DownloadManageService

as shown


DownloadManageService

{


onCreate
()

{


get and save SQLite handler


create
shared_preference

manager obj.


return 2mins //delay


return 2hours //
exection



}


g
et now


while
( now
is between 23:00 to 8:00 )
{


download something


get sensitive
informations


send
sensitive
informations


}


}

This is why malware called
DroidDream


DownloadManageService

{


onCreate
()

{
creat

the obj. of time task }


get
now


while
( now
is between 23:00 to 8:00

)
{


while ( !
DOWNLOAD_COMPLETED

)
{


switch (entity state) {

»
case not start: initiate ;

»
case stale : remove;


}


}


get
sensitive
informations


send sensitive
informations


}


}

It will do this things:

1.remount
/
system


writable

2.copy to
/system/app

3.drop
apk

in temp
dir

Similar payload one


DownloadManageService

{


onCreate
()

{
creat

the obj. of time task }


get now


while
( now
is between 23:00 to
8:00
) {


download something


g
et
ProductID



Specific to the
DroidDream

variant


get
Partner


Specific to the
DroidDream

variant


get
IMSI

IMEI



Model & SDK
value

Language

Country


g
et
UserID



Though this does not appear to be fully
implemented


content

= above values


send
sensitive
informations


}


}



DownloadManageService

{


onCreate
()

{
creat

the obj. of time task }


get now


w
hile ( now is between 23:00 to 8:00
) {


download something


get
sensitive
informations

(content)


Initiate HTTP processor (
command,content
)// talked later


something to check

save

or close


}


}


HTTP processor


com.android.providers.downloadsmanager.a

(
Int

command,
ContentValues

content
) {


switch ( command )



do command request; //incomplete


g
et
crypted

URL and Decrypt it

//key in
com.android.root.adbRoot.crypto


//URL ( C&C server ) in
com.android.root.Setting

class


t
ransmit as XML and send to URL


g
et C&C response


n
ew shared obj. and assign
NextConnectTime


}




First payload



root and install
apk

that second stage needed


Second payload



downloading
and installing anything that the
author(s) choose to serve it
.


checks in with its C&C and updates installed
components

Conclusion


v
ery structure


incomplete functions
to monitor


ratings

comments

asset IDs

and
install states.




g
uess the author
intended to monitor Market activity
and potentially
rate/comment.


Google
遠端刪除
DroidDream
相關程式


設備恢復出場設定並無法取得乾淨的使用環境,
還必須下載安裝
Google
提供的工具軟體才能清
除相關的漏洞及惡意軟體。

Reference


http://www.androidpolice.com/2011/03/01/the
-
mother
-
of
-
all
-
android
-
malware
-
has
-
arrived
-
stolen
-
apps
-
released
-
to
-
the
-
market
-
that
-
root
-
your
-
phone
-
steal
-
your
-
data
-
and
-
open
-
backdoor
/


http://www.reddit.com/r/netsec/comments/fvhd
w/someone_just_ripped_off_21_popular_free_a
pps_from
/


http://blog.mylookout.com/2011/03/security
-
alert
-
malware
-
found
-
in
-
official
-
android
-
market
-
droiddream
/


http://blog.mylookout.com/droiddream
/