Friday, March 4, 2011

Analysis Shows DroidDream Trojan Designed for Future Monetization

Via Threatpost.com -

A detailed analysis of the DroidDream Trojan that was found in dozens of apps in the Android Market this week shows that the malware has a modular construction that likely was designed to give attackers the ability to monetize infected devices through installations of adware or spyware.

The Trojan itself is not especially clever or sophisticated and its communications with its command-and-control server on the back end are essentially by the book, as well. After infection, the DroidDream malware calls home to its C&C server to announce its presence and ask for further instructions. That's all rote, pro forma stuff.

What's most interesting in the DroidDream construction is that the Trojan is designed to act mainly as a downloader module, a shell to pull down other malicious modules in the future. This is the kind of malicious behavior that has been common in desktop and server malware for years now, but hasn't been seen widely on mobile devices as of yet. Most mobile malware up till now has been designed to carry out one or two specific tasks, say sending SMS messages to premium numbers or stealing online banking credentials.

"The highly modular architecture of the Trojan is interesting and points out of a few important conclusions. First of all, it has been designed to be easy to include in popular applications, to be uploaded on the Market with misleading names. Secondly, it has a classical command-and-control architecture – it sends an initial 'I’m here' query with basic info and then deploys a more complex downloader to infect the device further," Kaspersky Lab malware researcher Denis Maslennikov wrote in his analysis of the DroidDream Trojan. "This is pretty similar to many Windows Trojans. Finally, the ability to install other applications on the devices hints at the way through which the author was planning to monetize the infections – by deploying Adware or Advertising-supported apps on the device."

No comments:

Post a Comment