ANDROIDOS_DORDRAE.M

This malware variant is related to the Android malware, DroidDreamLight, which steals mobile-specific data. The detected files are Trojanized Android applications which are hosted in the Android Market and infected almost a hundred users before it was pulled out.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

The malware service AppUseService runs every time the call state of the affected device changes. It then gathers the certain information. It sends the information to the remote servers.

Based on the analysis of its codes, this Trojan can also receive notification messages to display and download links from the said sites. It uses the notifications to trick users into downloading and installing the applications hosted in the links.

This Trojan may be manually installed by a user.

Arrival Details

This Trojan may be manually installed by a user.

This malware arrives via the following means:

• Via Trojanized Android applications

NOTES:

The malware service AppUseService runs every time the call state of the affected device changes.

It then gathers the following information:

• Country
• Device model
• Device language setting
• IMEI
• IMSI
• Installed applications (application name, package name, package version)

It sends these information to the following remote servers:

• http://{BLOCKED}5a.com/lsda.jsp
• http://{BLOCKED}j5.com/pqwo.jsp
• http://{BLOCKED}8m.com/ijnh.jsp

Based on the analysis of its codes, this Trojan can also receive notification messages to display and download links from the said sites. It uses the notifications to trick users into downloading and installing the applications hosted in the links.