Android/DrdDream.A!tr

Analysis

Android/DrdDream.A!tr comes packaged with legitimate applications it trojaned. If you downloaded one of these applications, you might be running the malware:

• Falling Down
• Super Guitar Solo
• Super History Eraser
• Photo Editor
• Super Ringtone Maker
• Super Sex Positions
• Hot Sexy Videos
• Chess
• Falldown
• Hilton Sex Sound
• Screaming Sexy Japanese Girls
• Falling Ball Dodge
• Scientific Calculator
• Dice Roller
• Advanced Currency Converter
• App Uninstaller
• PewPew
• Funny Paint
• Spider Man

The trojaned application installs without showing any very particular symptom. The (genuine) game it trojans works without any problem.
The malware affects Android mobile phones. It provides a root shell to the attacker, and sends the phone's IMEI and IMSI to a remote web server. With a root shell on the device, an attacker can basically do any action on the phone, without any restriction, like sending SMS, MMS, dumping contacts etc.

Technical Details

The malicious classes are located in com.android.root. A com.android.root.Setting service is launched. At creation, it decrypts a XOR encrypted URL

http://[REMOVED]:8080/GMServer/GMServlet

Then it gets various information concerning the phone (IMEI, IMSI...), formats the information using XML syntax:

<?xml version="1.0" encoding="UTF-8"?>
<Request>
<Protocol>1.0</Protocol>
<Command>0</Command>
<ClientInfo>
  <Partner>502</Partner>
  <ProductId>10011</ProductId>
  <IMEI>YOUR IMEI</IMEI>
  <IMSI>YOUR IMSI</IMSI>
  <Modle>YOUR DEVICE SDK</Modle>
</ClientInfo>
</Request>

The XML data is then encrypted (XOR) and posted (HTTP POST) to the URL.
The remote server is expected to send back a pref_config_setting file.
Then, the malware tries to root the phone using two known vulnerabilities which affect Android phones (and should be patched in recent firmwares).
One of those vulnerabilities is used in the class com.android.root.udevRoot and corresponds to this exploit. The malware reads files named exploid and profile from the asset directory. Then it gets the mount points for the system and data directory using the /system/bin/mount directory. Based on the response of /system/bin/mount directory it crafts three scripts:

1. remount_sys_rw.sh: mounts the system directory in read/write mode
2. remount_sys_ro.sh: mounts the system directory in read only mode
3. remount_data.sh: mounts the data directory

Then, it sets the execute permission on the exploid binary (chmod 770) and runs it.
Then, the malware invoke the hotplug (as specified in the exploit source) by changing the wifi state of the phone.
When the phone is rooted, it copies the profile file (in the asset directory) to /system/bin/profile, and finally removes the exploit.
If this first exploit does not work, the malware tries another one, known as rageagainstthecage.
This exploit tries to reach the limit of maximum user processes, so that next time adbd is launched (as root), it fails to surrender its root privileges and, thus, provides local root access.
Similarly, the malware launches this exploit and, once successful, copies the profile binary to /system/bin/profile. Then it sets root permissions to /syste/bin/profile.

chown 0.0 /system/bin/profile
chown root.root /system/bin/profile
chmod 6755 /system/bin/profile

The disassembly of /system/bin/profile shows it performs a setgid, setuid and then an execv of /system/bin/sh. So, it provides a root shell to the attacker.
Note however that, in current versions, this root shell is not binding to any port and cannot be used remotely.
Finally, the malware's asset directory contains another file, named sqlite.db. This file is not a SQLite database but an Android Package.
The malware locates this file, renames it DownloadProvidersManager.apk, and installs it on the device.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.