Android/GoldDream.A!tr.spy

Analysis

Android/GoldDream.A!tr.spy targets mobile phones running Android. It trojans legitimate games such as the DragRacer car game, i.e the genuine (and non malicious) game is re-packaged to include malicious code.
In background, the malware logs all incoming and outgoing phone calls and received SMS. Those spy logs are written to files on the device and later sent to a remote web site.
Moreover, the malware shows the features below:

• sending SMS message
• installing or deleting packages
• calling phone numbers

Technical Details

Initially, the malware registers a receiver (zjReceiver) which is triggered when the phone boots or receives an SMS.
When the phone boots, the receiver starts a service (zjService).
If the phone receives an SMS, the malware logs the SMS originating phone number, body and time in a file named zjsms.txt (in /data/data/com.creativemobi.DragRacing/files/).
The format of logs is:

SMS PHONE NUMBER#SMS BODY#SMS TIME

If the phone places an outgoing call, it logs:

OUT#PHONE NUMBER#SYSTEM TIME

This log is written to zjphonecall.txt If the phone receives an incoming call, the malware logs the begin and end time of the phone call.

IN_BEGIN#PHONE NUMBER#SYSTEM TIME
IN_END#PHONE NUMBER#SYSTEM TIME

When the zjService starts, it first writes an XML configuration file with default values. This file contains:

• dom: the domain name of the remote web server to contact
• ws: watch sms. Boolean indicating whether to spy SMS or not. False by default.
• wc: watch call. Boolean indicating whether to spy calls or not. False by default.
• ltd: last work task time
• lud: last update time
• uid: user identifier
• tti: task type id. Default type is 1.
• rtt: rest time
• uwf: literally: upload watch files. This is a boolean indicating whether to upload spy files or not
• tph: task per hours
• rt: boolean indicating if resting or not. Unclear yet, but could be indicating that the remote web server is currently out of service.

Then, the service launches a worker thread. Basically, its work consists in registering the new infected device to this URL:

http://[REMOVED]cp.net/zj/RegistUid.aspk?pid=9971&cid=1000&imei=PHONE IMEI&sim=PHONE SIM&imsi=PHONE IMSI&ua=USER AGENT

And then it gets a number of tasks from the remote server, and executing those tasks.
The amount of tasks to perform is retrieved by accessing:

http://[REMOVED]cp.net/zj/countWorkTask.aspx?tti=TASK ID

Then, each task is executed one by one. First, the malware retrieves the information for a task:

http://[REMOVED]cp.net/zj//alotWorkTask.aspx?no=TASK NUMBER&uid=USER ID&ti=TASK ID

The task number (parameter "no") is incremented for each task which is retrieved.
Then, the task is executed. Depending on its nature, it may consist in:

• calling a phone number
• sending a SMS
• deleting a package on the device
• installing a package on the device
• uploading watch files to the remote web server. In that case, the files are uploaded to this URL:

  http://[REMOVED]cp.net/zj/upload/UploadFiles.aspx?askId=3
  

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.