A new variant of the DroidDreamLight malware targeting devices that run Google’s Android operating system has been discovered, this time with potentially the ability to quietly install and uninstall packages.
Computer security firm Trend Micro said the new variant, found in a China-based third-party application store, is disguised as battery-monitoring and task-listing tools.
“Please note … that the apps are in English, so potential victims are not limited to users who understand Chinese,” it noted in a blog post.
Trend Micro said its software can detect the malware as AndroidOS_DORDRAE.N.
It said the code changes included information theft routines, which can include SMS messages, call logs, contacts lists and information related to Google accounts in the device.
The stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to a URL contained in a configuration file.
“Just like with previous variants, it also connects to a URL in the configuration file and then uploads other information about the infected device,” it said.
Among the uploaded information are:
– Phone model
– Language setting
– Country
– IMEI
– IMSI
– SDK version
– Package name of the malicious application
– Information about installed applications
Once the URL receives the information, it will reply with an encrypted configuration file, which updates the existing configuration file.
Trend Micro said an analysis of the code showed this malware has can insert messages in the inbox of the affected device, with the sender and message body specified by the attacker, as well as the ability to send messages to numbers in the contacts list.
“Furthermore, this new variant also has codes that can check if the affected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although there is currently no code in the body that calls these methods,” it added.
Users can check their phone if they are infected by going to SettingsApplicationsRunning Services and look for the service called “CelebrateService.” — TJD, GMA News
Article source: http://ph.news.yahoo.com/nastier-droiddreamlight-malware-loose-101411766.html
View full post on National Cyber Security » Virus/Malware/Worms
