TrendmicroによるDroidDreamLightとDroidKungFuの紹介

We were recently able to analyze the routines of the latest DroidKungFu variant, detected as ANDROIDOS_KUNGFU.CI. While we were monitoring the traffic between ANDROIDOS_KUNGFU.CI and its remote server, we chanced upon a command to delete a certain package.
In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.
I did some research on the package, and found that the deleted package is a new DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new component, or update itself.
This particular DroidDreamLight variant, detected as ANDROIDOS_DORDRAE.O, starts its service (called ‘SystemConfService’) when the device boots up or receives/makes a call. It uploads the same information as its previous incarnations.
I wanted to see the notifications created by the malware for myself so I tested it by creating a web server and making the malware connect to it by changing the emulator network setting. Based on my analysis of the code, the malware expects an XML from the server with the following sample format:

Connections Between DroidDreamLight and DroidKungFu - TrendLabs Security Intelligence Blog