Security researchers have identified a new piece of Android spyware which spreads via repackaged applications and is capable of switching between different command and control servers.
Dubbed GoldDream, the trojan was discovered on alternative Android markets by Xuxian Jiang, assistant professor in the NC State University’s department of computer science.
The peice of malware is designed to spy on victims by uploading their call log and SMS messages to a remote server.
In addition, the trojan notifies the attacker when a call is initiated or when an SMS message is received. It acts like a botnet client that can receive commands remotely.
According to the security researcher, GoldDream can be ordered to send SMS messages, make phone calls, install or uninstall apps and upload a file to a remote server.
Malware analysts from Trend Micro note that the spyware has an unusual ability to update itself and change its command and control servers.
Most Android trojans seen in the past had harcoded C&C URLs, however, the attackers behind GoldDream probably wanted more flexibility in case their primary server goes down.
This sort of redundancy mechanism is typical of desktop trojans that function as part of botnets, however, it has lacked from the mobile threat landscape so far.
The practice of repackaging legit apps with trojans remains the most popular method of distributing Android malware. People should pay attention to the permissions requested upon installation, because trojanized apps need extensive access.
Even though GoldDream was found on private forums distributing apps, Installing only applications from the official Android Market will not guarantee protection from these attacks.
Many Android trojans were originally identified on alternative markets and then made their way to the official one. Google has removed tens of trojanized apps so far from their website and even used remote uninstall commands on some occasions. Source: Softpedia