Security Alert: New SMS Android Trojan -- DroidLive -- Being Disguised as a Google Library
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Threat Summary
My research group, in collaboration with NQ Mobile,
recently uncovered another SMS Trojan named -- DroidLive -- in third-party Android markets.
The malware attempts to disguise itself as a Google library, but actually receives commands from
a remote Command and Control (C&C) server, which allow it to engage in sending text messages
to premium numbers, making phone calls, collecting personal information, and other nefarious activities.
Also, one unusual behavior of this malware is its attempt of installing itself as a
device administration app. Though this requires user consent, if such consent is given, DroidLive can
obtain privileges closer to those granted only to the device's
firmware. To the best of our knowledge, this is the first malware that takes advantage of
the device administration API.
How It Works
DroidLive is structured as a constellation of services and receivers that
communicate using Android's standard inter-app communication layer (i.e., Binder). These
relationships are shown in the following diagram:
- DroidLive's heart is a main control service, MainService, which is invoked
via the Android IPC mechanisms by other parts of the Trojan. This service takes
action based on a string passed to it when it is invoked; these strings are
in plain, human-readable text. MainService is initially invoked by other
receivers that listen for a variety of (17) system events.
- Once the malware has been initially invoked, it uses message queues and
Android's alarm functionality to periodically wake up and contact its C&C
server (http://xxxxxxxxxxxx/androidService/services/AndroidService). As part of
this process, DroidLive sends a large amount of information to the server,
including the device's unique hardware identifier (IMEI), current cell tower
identifier (CID), subscriber identifier (IMSI) and more. In return, the server
sends a list of actions for the bot to perform.
- DroidLive features several commands, which are handled by dedicated
components. It can send text messages, make phone calls, or attempt to install
itself as a
device administration app. This last feature requires user consent, but if
granted allows DroidLive privileges closer to those granted only to the device's
firmware. Inside the device admin code, it obtains a list of all the
apps running on the device. Note this device admin-level access
would allow other priviledged actions, such as wiping out all the data on the device.
This Trojan attempts to hide itself by appearing as a Google library -- all of its
functionality is contained in a package that matches Google's own package naming
convention. Our analysis shows that it is careful not to employ too many
suspicious techniques to hide internal data. But the C&C server's
address is cunningly hidden within the app's resource data, being retrieved and
decrypted at runtime. This is a more subtle technique than the alternative of
simply embedding such encrypted data directly in the app's code itself.
Mitigation:
Due to the fact that DroidLive can be remotely controlled, we consider it poses serious
threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Follow-ups:
- 11/11/2011: This article goes public.
- 11/5/2011: We detected the first DroidLive malware.
Last modified: November 11th, 2011