1 / 23

Do Androids Dream- DroidDream Malware

Do Androids Dream- DroidDream Malware . 報告人:劉旭哲. Introduction. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream . Lompolo discovered the first instances of this malware.

selima
Download Presentation

Do Androids Dream- DroidDream Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Do Androids Dream-DroidDream Malware 報告人:劉旭哲

  2. Introduction • More than 50 applications have been found to be infected with a new type of Android malware called DroidDream. • Lompolo discovered the first instances of this malware. • He analyzed two suspicious applications and found that they contain exploit code that can break out of Android’s application security sandbox.

  3. Introduction • A blogger at Android Police took a closer look at the malicious applications • can root a user’s device • send sensitive information (IMEI and IMSI) to a remote server. • another APK hidden inside the code • 駭客將惡意程式重新包裝成合法軟體,並放在App Market上。

  4. How it works? • The malware can’t start automatically • requires the user to manually run the infected application • The malware has modified the AndroidManifest.xml to launch itself prior to the primary app’s activity.

  5. The First Payload • com.android.root.Settingwill notify the C&C server and attempt to root the device. • First the malware will contact C&Cserver identifying the compromised device. 定義Malware

  6. The First Payload • pref_config_setting-> done • Use to check into the server. • If ( request == response ) • done =1 • the malware will not check-in, resulting in the application only performing one check-in.

  7. The First Payload • com.android.root.adbRoot.crypto • a simple XOR with an embedded key • decrypt the C&C server’s URL • in the byte array u in the com.android.root.Settingclass. • 184.105.245.17:8080/GMServer/GMServlet • This is the first step in the first payload • Connect and login to C&C server

  8. The First Payload • The second step: Attempts to Root Device • check for the presence of /system/bin/profile • If exist, not re-infect, otherwise continue the infection process. • Two method to exploit: • exploid • rageagainstthecage

  9. The First Payload • After completed,themalware checks to see if the package com.android.providers.downloadsmanageris installed. • If not found • it will install the second payload, which is bundled as sqlite.db. • This part will be copied to the /system/app/ directory, installing itself as DownloadProviderManager.apk

  10. After the above steps have completed, the first payload is done. • It only implements this one mode of infection then waits for the second payload it installed, to do the rest of the work.

  11. The Second Payload • DownloadProviderManager.apk • no icon • can’t be found by other user-managed applications since it is installed on the /system partition. • not executed by the user, but triggered by Intents it listens for on the device.

  12. The Second Payload • in AndroidManifest.xml • DownloadCompleteReceicer • DownloadManageService

  13. The Second Payload • DownloadCompleteReceiver.onReceive • { • If ( SQLite database in processes for sync) • determine • Else • get date and NextConnectTime; • If ( date – NextConnectTime >=5 ) • Call Download_Completed to update • } 聯繫C&C server 駭客將他要用的SQLite,安裝成DownloadProviderManager,所以原本的SQLite關掉

  14. The Second Payload • DownloadManageService: • timer-scheduledtask • com.android.providers.downloadsmanager.d • run for two hours at a time • with a delay of two minutes between executions • initializes the SQLite tables • manages the download handler • This is evident in the onCreate() method of DownloadManageService as shown

  15. DownloadManageService{ • onCreate(){ • get and save SQLite handler • create shared_preference manager obj. • return 2mins //delay • return 2hours //exection • } • get now • while ( now is between 23:00 to 8:00 ) { • download something • get sensitive informations • send sensitive informations • } • } This is why malware called DroidDream

  16. DownloadManageService{ • onCreate(){ creat the obj. of time task } • get now • while ( now is between 23:00 to 8:00 ) { • while ( ! DOWNLOAD_COMPLETED ) { • switch (entity state) { • case not start: initiate ; • case stale : remove; • } • } • get sensitive informations • send sensitive informations • } • } • It will do this things: • 1.remount /system writable • 2.copy to /system/app • 3.drop apk in temp dir • Similar payload one

  17. DownloadManageService{ • onCreate() { creat the obj. of time task } • get now • while ( now is between 23:00 to 8:00 ) { • download something • get ProductID– Specific to the DroidDream variant • get Partner – Specific to the DroidDream variant • get IMSI 、IMEI 、 Model & SDK value、Language、Country • get UserID– Though this does not appear to be fully implemented • content= above values • send sensitive informations • } • }

  18. DownloadManageService{ • onCreate() { creat the obj. of time task } • get now • while ( now is between 23:00 to 8:00 ) { • download something • get sensitive informations (content) • Initiate HTTP processor (command,content)// talked later • something to check、saveor close • } • }

  19. HTTP processor • com.android.providers.downloadsmanager.a(Intcommand, ContentValuescontent) { • switch ( command ) • do command request; //incomplete • get crypted URL and Decrypt it //key in com.android.root.adbRoot.crypto //URL ( C&C server ) in com.android.root.Setting class • transmit as XML and send to URL • get C&C response • new shared obj. and assign NextConnectTime • }

  20. First payload: • root and install apk that second stage needed • Second payload : • downloading and installing anything that the author(s) choose to serve it. • checks in with its C&C and updates installed components

  21. Conclusion • very structure • incomplete functions to monitor • ratings、comments、asset IDs、and install states.  • guess the author intended to monitor Market activity and potentially rate/comment. • Google遠端刪除DroidDream相關程式 • 設備恢復出場設定並無法取得乾淨的使用環境,還必須下載安裝Google提供的工具軟體才能清除相關的漏洞及惡意軟體。

  22. Reference • http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/ • http://www.reddit.com/r/netsec/comments/fvhdw/someone_just_ripped_off_21_popular_free_apps_from/ • http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/ • http://blog.mylookout.com/droiddream/

More Related