Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

New Android Trojan Masquerades as Google Library, Taps Device Administration API

DroidLive” SMS Android Trojan Masquerading as a Google Library, Attempts to Utilize Device Administration API

DroidLive” SMS Android Trojan Masquerading as a Google Library, Attempts to Utilize Device Administration API

A research team at NC State University led by Assistant Professor Xuxian Jiang and NetQin, have uncovered a new SMS Android Trojan that attempts to install itself as a device administration app, and capable of tapping into personal data and performing a mixture of nefarious activities on android mobile devices.

Android MalwareJiang, who is also Director of NetQin’s U.S. Security Research Center, explained that the android malware, dubbed DroidLive, attempts to disguise itself as a Google library, and receives commands from a Command and Control (C&C) server, allowing it to perform functions including sending text messages to premium numbers, initiating phone calls, collecting personal data, and more.

Over the weekend, Jiang told SecurityWeek that this is new malware and not a variant of previously known samples, and appears to be the first to take advantage of the device administration API.

“Though this requires user consent, if such consent is given, DroidLive can obtain privileges closer to those granted only to the device’s firmware,” Jiang explained. “This Trojan attempts to hide itself by appearing as a Google library — all of its functionality is contained in a package that matches Google’s own package naming convention.”

How DroidLive Works

Jiang shared the following details on how DroidLive works, and provided the diagram below to help further explain how it uses Android’s standard inter-app communication layer:

DroidLive Android Trojan

1. DroidLive’s heart is a main control service, MainService, which is invoked via the Android IPC mechanisms by other parts of the Trojan. This service takes action based on a string passed to it when it is invoked; these strings are in plain, human-readable text. MainService is initially invoked by other receivers that listen for a variety of (17) system events.

2. Once the malware has been initially invoked, it uses message queues and Android’s alarm functionality to periodically wake up and contact its C&C server. As part of this process, DroidLive sends a large amount of information to the server, including the device’s unique hardware identifier (IMEI), current cell tower identifier (CID), subscriber identifier (IMSI) and more. In return, the server sends a list of actions for the bot to perform.

3. DroidLive features several commands, which are handled by dedicated components. It can send text messages, make phone calls, or attempt to install itself as a device administration app. This last feature requires user consent, but if granted allows DroidLive privileges closer to those granted only to the device’s firmware. Inside the device admin code, it obtains a list of all the apps running on the device. Note this device admin-level access would allow other priviledged actions, such as wiping out all the data on the device.

Jiang told SecurityWeek that his team has discovered more than 10 distinct Android apps infected by the DroidLive malware, though none of those were found in the official Android Market. “Users can be infected by downloading and installing apps from various Android Markets,” Jiang said. “We find them from alternative marketplaces.”

While Jiang wasn’t able to provide any concrete number in terms of infected devices, he did warn that it could grow rapidly, similar to the case of DroidKungFu and AnserverBot. He also suggested that because DroidLive can be remotely controlled, it poses serious threats to Android users.

Android users should only download apps from reputable sources and always check reviews, ratings, and developer information before downloading.

At the time of publishing, the command and control server appears to still be operational. The server (IP addresses and domain intentionally omitted) appears to be a server located in China.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...