The recode – a major variant on DroidDream Light – has been spotted on a China-based third-party app store, and is fully in the wild, said Mark Balanza of Trend's AsiaPac security team.
Apps that have been seen as infected – and which are in the English language, he notes – include a battery monitoring tool, task listing tool, and an application that lists the permissions used by installed applications.
As well as the major code revamp with AndroidOS_DORDRAE.N, Balanza said there is also distinct change in the type of data that is stolen by the malware, including text messages, device call log, contacts list and information related to Google accounts stored on the device.
“Stolen information is stored and compressed in the /data/data/%package name%/files directory, and then uploaded to a URL contained in a configuration file”, he said in a weekend security posting, adding that, as with previous variants, the malware also connects to a URL in the configuration file and then uploads a variety of other information about the infected device.
This data, he asserted, includes the phone model, language setting, country, IMSI/IMEI pair, SDK version, the package name of the infected app, and information about other apps installed on the device.
As reported previously by Infosecurity, the IMSI/IMEI pair data is enough for fraudsters to make voice and data calls charged to the legitimate users' cellular account.
Once the URL receives the information, Balanza said the distant server will reply with an encrypted configuration file, which updates the existing configuration file.
In addition, based on its code, he said that the malware has the ability to insert messages in the in-box of the affected device, with the sender and message body specified by the attacker, as well as the ability to send messages to numbers in the contacts list.
“Furthermore, this new variant also has codes that can check if the affected device has been rooted by checking for certain files. We found that this malware can install and uninstall packages if the device is rooted, although there is currently no code in the body that calls these methods”, he said.
Users, said the Trend Micro threats analyst, can check if their phone is infected by going to Settings>Applications>Running Services and looking for the service called `CelebrateService.'