Next-gen Android trojan uses Google Library disguise

Code obfuscation is nothing new on desktop operating systems, but is a new technique on portable platforms, Infosecurity notes.

The Android environment consists of a kernel based on the Linux code kernel - with middleware, libraries and APIs written in C and application software running on an application framework that includes Java-compatible libraries based on Apache Harmony.

Since Android makes certain presumptions on code libraries - in the same way that desktop platforms make presumptions based on the code suffix - the use of a library effectively persuades the smartphone/tablet operating system to treat the code as trusted.

The DroidLive trojan, as it is known, is already in the wild and, says NetQin, attempts to disguise itself as a Google library, but actually receives commands from a remote command-and-control (C&C) server, which allows it to engage in sending text messages to premium numbers, making phone calls, collecting personal information, and other darkware activities.

According to E-Hackingnews, an unusual behavior of DroidLive is an attempt to installing the code as a device administration app.

"Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device's firmware. To the best of our knowledge, this is the first malware that takes advantage of the device administration API", notes the newswire.

According to the NC state uni researchers, meanwhile, DroidLive's heart is a main control service - MainService - which is invoked via the Android IPC mechanisms by other parts of the trojan.

Once the malware has been initially invoked, it uses message queues and Android's alarm functionality to periodically wake up and contact its C&C server.

As part of this process, note the researchers, DroidLive sends a large amount of information to the server, including the device's IMEI, the current cell tower identifier data, the subscriber identifier (IMSI) and so on. A download of instructions is then triggered to the portable devices.

The bad news, Infosecurity notes, is that this trojan cannot currently be detected using conventional Android IT security software, although NetQin says that infections can be spotted from unusual behavior on the part of mobile phones.


What’s Hot on Infosecurity Magazine?