Connect with us

Hi, what are you looking for?


Mobile & Wireless

New Android Trojan Masquerades as Google Library, Taps Device Administration API

DroidLive” SMS Android Trojan Masquerading as a Google Library, Attempts to Utilize Device Administration API

DroidLive” SMS Android Trojan Masquerading as a Google Library, Attempts to Utilize Device Administration API

A research team at NC State University led by Assistant Professor Xuxian Jiang and NetQin, have uncovered a new SMS Android Trojan that attempts to install itself as a device administration app, and capable of tapping into personal data and performing a mixture of nefarious activities on android mobile devices.

Android MalwareJiang, who is also Director of NetQin’s U.S. Security Research Center, explained that the android malware, dubbed DroidLive, attempts to disguise itself as a Google library, and receives commands from a Command and Control (C&C) server, allowing it to perform functions including sending text messages to premium numbers, initiating phone calls, collecting personal data, and more.

Over the weekend, Jiang told SecurityWeek that this is new malware and not a variant of previously known samples, and appears to be the first to take advantage of the device administration API.

“Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device’s firmware,” Jiang explained. “This Trojan attempts to hide itself by appearing as a Google library — all of its functionality is contained in a package that matches Google’s own package naming convention.”

How DroidLive Works

Jiang shared the following details on how DroidLive works, and provided the diagram below to help further explain how it uses Android’s standard inter-app communication layer:

DroidLive Android Trojan

1. DroidLive’s heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.

2. Once the malware has been initially invoked, it uses message queues and Android’s alarm functionality to periodically wake up and contact its C&C server. As part of this process, DroidLive sends a large amount of information to the server, including the device’s unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.

Advertisement. Scroll to continue reading.

3. DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device’s firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.

Jiang told SecurityWeek that his team has discovered more than 10 distinct Android apps infected by the DroidLive malware, though none of those were found in the official Android Market. “Users can be infected by downloading and installing apps from various Android Markets,” Jiang said. “We find them from alternative marketplaces.”

While Jiang wasn’t able to provide any concrete number in terms of infected devices, he did warn that it could grow rapidly, similar to the case of DroidKungFu and AnserverBot. He also suggested that because DroidLive can be remotely controlled, it poses serious threats to Android users.

Android users should only download apps from reputable sources and always check reviews, ratings, and developer information before downloading.

At the time of publishing, the command and control server appears to still be operational. The server (IP addresses and domain intentionally omitted) appears to be a server located in China.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.