ANDROIDOS_DORDRAE.O

This is a DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new a component, or update itself.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This is Trend Micro's detection for Trojanized Android applications. While the legitimate software runs, it silently executes malicious code in the background. The malware service "SystemConfService" runs when the device is booted or when it receives or makes a call. It then gathers certain information. It sends these information to remote servers.

This Trojan may be manually installed by a user.

Arrival Details

This Trojan may be manually installed by a user.

This malware arrives via the following means:

• via Trojanized Android applications

NOTES:

This is Trend Micro's detection for Trojanized Android applications.

It arrives using the package name com.practical.share.

While the legitimate software runs, it silently executes malicious code in the background. The malware service "SystemConfService" runs when the device is booted or when it receives or makes a call. It then gathers the following information:

• Device model
• Language setting
• Country
• IMEI
• IMSI
• SDK Version
• Installed app information

It sends these information to the following remote servers:

• http://{BLOCKED}6.info/aztc.php
• http://{BLOCKED}u.com/jtwd.php

Note that the said servers may vary depending on the data received from the servers once it is connected.

Based on the analysis of the codes, it also has the following routines:

Show any of the following notifications that may trick the user into downloading other malware:

• Update - update the malware package
• Download - download a file specified by the malware server
• Market - view a package specified by the malware server in the Android Market
• Web - view a URL specified by the malware server