#droiddream

Download Demo Platform: WordPress Name: DroidDream Description: DroidDream WordPress Theme is good android wordpress theme, professional android theme, blue color for main design, slide show and ads space ready, 2 columns layout with right sidebar and very good for sites related about phone and android. Download DroidDream WordPress Theme at WordPress Themes Gallery.

DroidDream used a few exploits to root android devices, but probably the most popular was the Exploid exploit. Exploid is an exploit that can be used to root Android devices and this exploit really caught my attention.

One of the first steps the malware does is post IMEI, IMSI, and post the Android version to a website where they are both encrypted using the XOR technique. Now what's really cool about this is that the key is hard coded the settings.class and is in a seperate folder. Below is the Java decoded and this picture below is from Fortinet.

  Now I wrote in my post yesterday about how the malware copies some unique files to the /system/bin/profile. After this the author adds root permissions to the file shown below:

chown 0.0 /system/bin/profile chown root.root /system/bin/profile chmod 6755 /system/bin/profile

The system/bin/profile directory is the deciding factor to root the phone. If the file is located in the system directory then the phone have been rooted. Some developers have said that if you create another system/bin/profile directory then the malware cannot copy files to one of those directories because it does not know which one is the legitimate source. Ending the malware operation as noted by Fortinet on their blog. 

This is a screenshot below of a log of files that Fortinet published on their blog.

DroidDream was one of those malware apps that just looked interesting to look into. The sifitication of the exploits that Dream used were pretty impressive. The exploits that Dream used was the Exploit/LVedu and Exploit/DiutesEx which are used to root the phone and gain permissions into Android devices that are vulnerable. The payloads used in the malware also had some interesting parts to them. After Dream gains root access to the phone then it copies the second payload from it's assets directory which then installs it in the directory known as system/apps/DownloadProviderManager.apk. This type of technique performs a manual installation that is known as one of the ways to get around the Android Market. At this point in the process the Market cannot kill the app because it does not actually know that the app is being installed. As I read about this on Mcafee's blog I was very impressed and interested to know more about how devious this app worked to get around the market.

Then the malware renames a file called, "su" executable which is stored in the /system/bin/profile directory and then gets transported to the system commands. Lets recap about what I just mentioned above. I think this little technique that Dream performs is one of the best techniques I have seen to date of how a malware author can not only switch a file to a system command directory, but also have the ability to then be able to update the malware and gain future access to victims device. For malware authors that specialize in exploting the Android Operating System I think this is yet another milestone in mobile malware. Even though I love writing about and stopping the bad guys you have to admit that the sifistication of this app was very impressive.

Here is an interesting piece on DroidDream and Android written by Tim Armstrong of Kaspersky Labs below.

Also at issue is the fact that device manufacturers themselves do not consistently maintain or update their existing platforms. Read any mobile forum and you’ll find a host of users begging for an update to their respective devices. According to Google’s own statistics, over 40% of Android users are using a version of the operating system prior to Android 2.2. Even some of the customers running 2.2 are vulnerable as the exploit works on 2.2.1 or earlier. Unfortunately Google doesn’t break its statistics down small enough to see this number. With the small exception of the customers who receive the Android Market Security Tool update, every other person running 2.2.1 or less remains vulnerable. This means that they could get exploited right now.

So isn't that interesting that 40% of Android users are still using a version of the Operating System that is out of date or before version 2.2? After looking at the above graph it indicated to me that since 40% of the Android users are using an older version of the OS then that has to be impacting the spread of malware like DroidDream and others before it. Once again we comeback to one of the old time reasons why it's always good to update your operating system to the latest version and if you don't, in the case of Android users, then the more vulnerable you become to the bad guys.

Now even though the older version's of the Android Operating System seem vulnerable what about version 2.2? Well, both exploits that were used in DroidDream also targeted version 2.2 and vulnerabilities within that specific version. So here is once again another good look at how different android versions are still vulnerable to malware. Exploit/LVedu is a exploit that roots Android devices and has been integrated into more than 20 malicious Android apps. Exploit/DiutesEx is the same type of exploit like, Exploit/LVedu in which it uses a vulnerability to root Android devices. I don't know about you all, but I would like to get samples of these exploits. :P    

There is an Android app that can clean DroidDream and remove it from your device if you are indeed infected by Dream. To read more about DroidDream and this security tool go to http://blogs.mcafee.com/enterprise/mobile/google-tool-cleans-up-mobile-malware-dream

The Android Market Security Tool is an Android app that also has a non-Dalvik native application component called droidreamclean. Android/DrdDream drops a few additional files (native binaries, an additional APK, etc.) on an infected phone. Because the files are located outside of the app directory, simply uninstalling the app won’t remove them from the phone. Really cleaning the phone requires access to the file system at a level that standard Android applications can’t reach. The security app  launches droiddreamclean to delete the additional files and restore some security settings.

From Mcafee's Blog

comment: あるredditユーザーが、正規アプリの海賊版が「DroidDream」と呼ばれるトロイの木馬を含んでいることを発見 / DroidDreamはほかのパブリッシャーからのアプリを含め50以上のAndroidアプリで見つかっている