do androids dream droiddream malware n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Do Androids Dream- DroidDream Malware PowerPoint Presentation
Download Presentation
Do Androids Dream- DroidDream Malware

Loading in 2 Seconds...

play fullscreen
1 / 23

Do Androids Dream- DroidDream Malware - PowerPoint PPT Presentation


  • 144 Views
  • Uploaded on

Do Androids Dream- DroidDream Malware . 報告人:劉旭哲. Introduction. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream . Lompolo discovered the first instances of this malware.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Do Androids Dream- DroidDream Malware' - selima


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction
Introduction
  • More than 50 applications have been found to be infected with a new type of Android malware called DroidDream.
  • Lompolo discovered the first instances of this malware.
  • He analyzed two suspicious applications and found that they contain exploit code that can break out of Android’s application security sandbox.
introduction1
Introduction
  • A blogger at Android Police took a closer look at the malicious applications
    • can root a user’s device
    • send sensitive information (IMEI and IMSI) to a remote server.
    • another APK hidden inside the code
  • 駭客將惡意程式重新包裝成合法軟體,並放在App Market上。
how it works
How it works?
  • The malware can’t start automatically
    • requires the user to manually run the infected application
  • The malware has modified the AndroidManifest.xml to launch itself prior to the primary app’s activity.
the first payload
The First Payload
  • com.android.root.Settingwill notify the C&C server and attempt to root the device.
    • First the malware will contact C&Cserver identifying the compromised device.

定義Malware

the first payload1
The First Payload
  • pref_config_setting-> done
    • Use to check into the server.
  • If ( request == response )
    • done =1
    • the malware will not check-in, resulting in the application only performing one check-in.
the first payload2
The First Payload
  • com.android.root.adbRoot.crypto
    • a simple XOR with an embedded key
    • decrypt the C&C server’s URL
    • in the byte array u in the com.android.root.Settingclass.
    • 184.105.245.17:8080/GMServer/GMServlet
  • This is the first step in the first payload
    • Connect and login to C&C server
the first payload3
The First Payload
  • The second step: Attempts to Root Device
    • check for the presence of /system/bin/profile
    • If exist, not re-infect, otherwise continue the infection process.
  • Two method to exploit:
    • exploid
    • rageagainstthecage
the first payload4
The First Payload
  • After completed,themalware checks to see if the package com.android.providers.downloadsmanageris installed.
  • If not found
    • it will install the second payload, which is bundled as sqlite.db.
    • This part will be copied to the /system/app/ directory, installing itself as DownloadProviderManager.apk
slide11

After the above steps have completed, the first payload is done.

  • It only implements this one mode of infection then waits for the second payload it installed, to do the rest of the work.
the second payload
The Second Payload
  • DownloadProviderManager.apk
  • no icon
  • can’t be found by other user-managed applications since it is installed on the /system partition.
  • not executed by the user, but triggered by Intents it listens for on the device.
the second payload1
The Second Payload
  • in AndroidManifest.xml
    • DownloadCompleteReceicer
    • DownloadManageService
the second payload2
The Second Payload
  • DownloadCompleteReceiver.onReceive
  • {
    • If ( SQLite database in processes for sync)
      • determine
    • Else
      • get date and NextConnectTime;
      • If ( date – NextConnectTime >=5 )
        • Call Download_Completed to update
  • }

聯繫C&C server

駭客將他要用的SQLite,安裝成DownloadProviderManager,所以原本的SQLite關掉

the second payload3
The Second Payload
  • DownloadManageService:
    • timer-scheduledtask
      • com.android.providers.downloadsmanager.d
        • run for two hours at a time
        • with a delay of two minutes between executions
    • initializes the SQLite tables
    • manages the download handler
  • This is evident in the onCreate() method of DownloadManageService as shown
slide16

DownloadManageService{

    • onCreate(){
      • get and save SQLite handler
      • create shared_preference manager obj.
      • return 2mins //delay
      • return 2hours //exection
    • }
    • get now
    • while ( now is between 23:00 to 8:00 ) {
      • download something
      • get sensitive informations
      • send sensitive informations
    • }
  • }

This is why malware called DroidDream

slide17

DownloadManageService{

    • onCreate(){ creat the obj. of time task }
    • get now
    • while ( now is between 23:00 to 8:00 ) {
      • while ( ! DOWNLOAD_COMPLETED ) {
        • switch (entity state) {
          • case not start: initiate ;
          • case stale : remove;
        • }
      • }
      • get sensitive informations
      • send sensitive informations
    • }
  • }
  • It will do this things:
    • 1.remount /system writable
    • 2.copy to /system/app
    • 3.drop apk in temp dir
  • Similar payload one
slide18

DownloadManageService{

    • onCreate() { creat the obj. of time task }
    • get now
    • while ( now is between 23:00 to 8:00 ) {
      • download something
      • get ProductID– Specific to the DroidDream variant
      • get Partner – Specific to the DroidDream variant
      • get IMSI 、IMEI 、 Model & SDK value、Language、Country
      • get UserID– Though this does not appear to be fully implemented
      • content= above values
      • send sensitive informations
    • }
  • }
slide19

DownloadManageService{

    • onCreate() { creat the obj. of time task }
    • get now
    • while ( now is between 23:00 to 8:00 ) {
      • download something
      • get sensitive informations (content)
      • Initiate HTTP processor (command,content)// talked later
      • something to check、saveor close
    • }
  • }
http processor
HTTP processor
  • com.android.providers.downloadsmanager.a(Intcommand, ContentValuescontent) {
    • switch ( command )
      • do command request; //incomplete
    • get crypted URL and Decrypt it

//key in com.android.root.adbRoot.crypto

//URL ( C&C server ) in com.android.root.Setting class

    • transmit as XML and send to URL
    • get C&C response
    • new shared obj. and assign NextConnectTime
  • }
slide21

First payload:

    • root and install apk that second stage needed
  • Second payload :
    • downloading and installing anything that the author(s) choose to serve it.
    • checks in with its C&C and updates installed components
conclusion
Conclusion
  • very structure
  • incomplete functions to monitor
    • ratings、comments、asset IDs、and install states. 
    • guess the author intended to monitor Market activity and potentially rate/comment.
  • Google遠端刪除DroidDream相關程式
  • 設備恢復出場設定並無法取得乾淨的使用環境,還必須下載安裝Google提供的工具軟體才能清除相關的漏洞及惡意軟體。
reference
Reference
  • http://www.androidpolice.com/2011/03/01/the-mother-of-all-android-malware-has-arrived-stolen-apps-released-to-the-market-that-root-your-phone-steal-your-data-and-open-backdoor/
  • http://www.reddit.com/r/netsec/comments/fvhdw/someone_just_ripped_off_21_popular_free_apps_from/
  • http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/
  • http://blog.mylookout.com/droiddream/