Android/DrdLight.B!tr

Analysis

Android/DrdLight.B!tr is a variant of Android/DrdLight.A!tr. In addition to variant A's functionalities, it is capable of stealing call logs, contacts, and SMS messages.
Additionally, it sends SMS to contacts found on the device.

The malware stores its configuration file in a file named sense.tcd. This file is DES-encrypted, using the same key as in variant A, i.e

DDH#XundefinedLT

When decrypted, it corresponds to an XML file, with various tags such as

• Feed3Proxy9
• UploadProxy7
• DDPackageName2
• Next3Feedback8
• NextTask3
• RName5
• Task3Proxy5

The malware saves its tasks (SMS/contact/call stealing) in an internal file named tsk9.dat.
It steals:

• victim's google account name (email), and stores it APPDIR/files/goa4, where APPDIR is the application's private path
• SMS inbox and outbox, stored in APPDIR/files/sms7
• call log (date, duration and type), stored in APPDIR/files/calllog8
• contacts, stored in APPDIR/files/contact7

Those files are then encrypted (DES encryption), and zipped, and sent to a remote server whose address is specified in the malware's configuration file in the UploadProxy7 field.
For example, it builds a URL such as this one:

http://[REMOVED]d.com/p?PhoneType=MODEL&Version=7.0
&PhoneImei=IMEI&PhoneImsi=IMSI

Once uploaded, the files are deleted.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.