Security Alert: New Android Malware -- GoldDream -- Found in Alternative App Markets
By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
Update: to ensure proper attribution of our work, we added an acknowledgement requirement to the bottom of this page.
After the discovery of a series of Android malware in June
and DroidKungFu Variants),
my research team recently came across a new android malware called GoldDream. This new malware
spys on SMS messages received by users as well as incoming/outgoing phone calls and then uploads them
to a remote server without user's awareness. Moreover, this malware has the bot capability in place: It will
fetch commands from a remote C&C server and execute them accordingly.
We found that this malware has been circulating in a few alternative android markets and forums
targeting Chinese-speaking users. Some popular game apps (e.g., Draw Slasher and Drag Racing) have been repackaged to include this malware.
Getting started & phoning home
The starting process of GoldDream is similar to many existing Android malware. It will register a receiver
so that it will be notified for certain system events such as when a SMS message is received, or when there is an
incoming/outgoing phone call. Upon these events, the malware launchs a background service without user's knowledge.
Once the service gets started, the GoldDream malware will collect a variety of information on the infected
mobile phone, including the IMEI number as well as the unique subscriber ID. Then it will upload this information
to a remote server.
Spying on SMS messages and phone calls
Our investigation shows that when a SMS messages is received on an infected phone, GoldDream will collect the source address, content
and timestamp of the received SMS message. Similarly, when there is an incoming/outgoing phone call,
the malware will collect the phone call number and timestamp of the phone call. The collected information
will be written into local files for later use (there is a bot command to fetch these files).
The following code snippet shows the information-collecting behavior for received SMS messages and incoming/outgoing
The following code snippet shows the file-uploading behavior that transports the collected information to a remote server.
Feteching/executing remote commands
The GoldDream malware also exbihits the bot behavior: it can receive commands from a remote server
and then execute them accordingly. Basd on our initial analysis, the commands GoldDream supports
As mentioned earlier, the last one can be used to upload sensitive information collected from infected phones.
- Sending SMS messages in background
- Making phone calls
- Installing/un-installing apps
- Uploading a file to remote server
For mitigation, please follow basic, common-sense guidelines for smartphone security. For example,
- download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
- check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
- be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
- 07/07/2011: We noticed some commercial AV companies did not give us the deserved credit for our findings. Therefore, we added an acknowledgement requirement before any of our findings of new Android malware as well as requested samples can be used in any form. More specifically, we anticipate an acknowledgement that
basically says "The credit of discovering this malware goes to Dr. Xuxian Jiang and his research team at North Carolina State University." By doing so, we can ensure (1) our time and efforts are recognized and (2) our findings are given due credit.
- 07/05/2011: We have been in touch with a number of mobile AV companies or related ones to detect and block this malware, including Lookout, Symantec, McAfee, Fortinet, AVG Mobilation, Juniper, Google, Antiy, Websense, Trend Micro, Webroot, Sophos, ...
- 07/05/2011: This article goes public.
- 07/01/2011: The GoldDream malware is detected.
This work by Xuxian Jiang is licensed under a Creative Commons Attribution 3.0 Unported License.
Last modified: July 7, 2011