Security Alert: New SMS Android Trojan -- DroidLive -- Being Disguised as a Google Library

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Threat Summary

My research group, in collaboration with NQ Mobile, recently uncovered another SMS Trojan named -- DroidLive -- in third-party Android markets. The malware attempts to disguise itself as a Google library, but actually receives commands from a remote Command and Control (C&C) server, which allow it to engage in sending text messages to premium numbers, making phone calls, collecting personal information, and other nefarious activities. Also, one unusual behavior of this malware is its attempt of installing itself as a device administration app. Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device's firmware. To the best of our knowledge, this is the first malware that takes advantage of the device administration API.

How It Works

DroidLive is structured as a constellation of services and receivers that communicate using Android's standard inter-app communication layer (i.e., Binder). These relationships are shown in the following diagram:

  1. DroidLive's heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.
  2. Once the malware has been initially invoked, it uses message queues and Android's alarm functionality to periodically wake up and contact its C&C server (http://xxxxxxxxxxxx/androidService/services/AndroidService). As part of this process, DroidLive sends a large amount of information to the server, including the device's unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.
  3. DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device's firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.

This Trojan attempts to hide itself by appearing as a Google library -- all of its functionality is contained in a package that matches Google's own package naming convention. Our analysis shows that it is careful not to employ too many suspicious techniques to hide internal data. But the C&C server's address is cunningly hidden within the app's resource data, being retrieved and decrypted at runtime. This is a more subtle technique than the alternative of simply embedding such encrypted data directly in the app's code itself.

Mitigation:

Due to the fact that DroidLive can be remotely controlled, we consider it poses serious threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: November 11th, 2011