Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Update: to ensure proper attribution of our work, we added an acknowledgement requirement to the bottom of this page.

After the discovery of a series of Android malware in June (DroidKungFu, YZHCSMS, Plankton, and DroidKungFu Variants), my research team recently came across a new android malware called GoldDream. This new malware spys on SMS messages received by users as well as incoming/outgoing phone calls and then uploads them to a remote server without user's awareness. Moreover, this malware has the bot capability in place: It will fetch commands from a remote C&C server and execute them accordingly. We found that this malware has been circulating in a few alternative android markets and forums targeting Chinese-speaking users. Some popular game apps (e.g., Draw Slasher and Drag Racing) have been repackaged to include this malware.

Getting started & phoning home

The starting process of GoldDream is similar to many existing Android malware. It will register a receiver so that it will be notified for certain system events such as when a SMS message is received, or when there is an incoming/outgoing phone call. Upon these events, the malware launchs a background service without user's knowledge.

Once the service gets started, the GoldDream malware will collect a variety of information on the infected mobile phone, including the IMEI number as well as the unique subscriber ID. Then it will upload this information to a remote server.

Spying on SMS messages and phone calls

Our investigation shows that when a SMS messages is received on an infected phone, GoldDream will collect the source address, content and timestamp of the received SMS message. Similarly, when there is an incoming/outgoing phone call, the malware will collect the phone call number and timestamp of the phone call. The collected information will be written into local files for later use (there is a bot command to fetch these files).

The following code snippet shows the information-collecting behavior for received SMS messages and incoming/outgoing phone calls.



The following code snippet shows the file-uploading behavior that transports the collected information to a remote server.

Feteching/executing remote commands

The GoldDream malware also exbihits the bot behavior: it can receive commands from a remote server and then execute them accordingly. Basd on our initial analysis, the commands GoldDream supports include As mentioned earlier, the last one can be used to upload sensitive information collected from infected phones.

Mitigation:

For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,

Follow-ups:

Creative Commons License
This work by Xuxian Jiang is licensed under a Creative Commons Attribution 3.0 Unported License.

Last modified: July 7, 2011