Trend Micro recently found a new variant of DroidDreamLight in the Android Market. The app promotes itself as an app that helps users manage the .APK files on their device. The sample was downloaded 50–100 times before it was removed from the Android Market.
The malware sample Trend Micro found, is now detect as ANDROIDOS_DORDRAE.M, was inside an app called App Installer. Once executed, the main class of the app starts the malware service called AppUseService.
The malware service still runs even if the app is not being executed. It starts when an Intent called android.intent.action.PHONE_STATE is triggered, which happens every time the device makes or receives a call. It gets the following information from the device then uploads it to its server when it phones home.
- Device model
- Device language setting
- Country
- IMEI number
- IMSI number
- List of installed apps together with their names, package names, and package versions
Read more