A detailed analysis of the DroidDream Trojan that was found in dozens of apps in the Android Market this week shows that the malware has a modular construction that likely was designed to give attackers the ability to monetize infected devices through installations of adware or spyware.
The Trojan itself is not especially clever or sophisticated and its communications with its command-and-control server on the back end are essentially by the book, as well. After infection, the DroidDream malware calls home to its C&C server to announce its presence and ask for further instructions. That’s all rote, pro forma stuff.
What’s most interesting in the DroidDream construction is that the Trojan is designed to act mainly as a downloader module, a shell to pull down other malicious modules in the future. This is the kind of malicious behavior that has been common in desktop and server malware for years now, but hasn’t been seen widely on mobile devices as of yet. Most mobile malware up till now has been designed to carry out one or two specific tasks, say sending SMS messages to premium numbers or stealing online banking credentials.
“The highly modular architecture of the Trojan is interesting and points
out of a few important conclusions. First of all, it has been designed
to be easy to include in popular applications, to be uploaded on the
Market with misleading names. Secondly, it has a classical
command-and-control architecture – it sends an initial ‘I’m here’ query
with basic info and then deploys a more complex downloader to infect the
device further,” Kaspersky Lab malware researcher Denis Maslennikov wrote in his analysis of the DroidDream Trojan. “This is pretty similar to many Windows Trojans.
Finally, the ability to install other applications on the devices hints
at the way through which the author was planning to monetize the
infections – by deploying Adware or Advertising-supported apps on the
DroidDream was found in several dozen applications that were in the official Android Market this week. The apps that included the Trojan apparently were uploaded by three publishers after they had been loaded with the malware. Google quickly removed the apps from the market after researchers notified the company. Researchers estimated that more than 50,000 users had downloaded at least one of the apps, and some other estimates put the number at closer to 200,000 downloads.
The placement of malicious or malware-infected apps in mobile marketplaces has emerged as one of the more troubling attack vectors in the last year or so. None of the major mobile markets do full code reviews of apps before they are deployed in the markets and users tend to have a higher level of trust in apps from the iTunes App Store or Android Market than they do from third-party providers. Attackers have begun to exploit the app store weaknesses in recent months and that trend is only going to expand as the penetration of smartphones continues to rise and the value of the data on those devices increases.