NC State computer science researchers have discovered yet another variety of malware targeting Android. The new malware, called “GoldDream,” collects data on text messages and phone calls – and may also be used to install new apps on Android smartphones or to upload files stored on Android to a remote server.
The NC State team, led by Xuxian Jiang, has previously discovered DroidKungFu, Plankton and YZHCSMS – as well as variations on DroidKungFu uncovered last week and a data-stealing vulnerability in Android 2.3 (Gingerbread) that was revealed in January.
GoldDream piggybacks on infected apps and sets up a background service on the Android user’s smartphone without the user’s knowledge. GoldDream then collects the user’s device and subscriber IDs and sends that information to a remote server.
When an infected phone receives a text message (also known as an SMS message), GoldDream will store the content of the message, when it was received and who sent it. It does the same for outgoing messages. GoldDream also collects timestamp information and phone numbers for incoming and outgoing phone calls. All of this information is stored in local files, and can be retrieved via a remote server using a bot command (which effectively takes control of part of the phone).
GoldDream exhibits bot-like behavior by receiving and executing commands from a remote server. The investigation from Jiang’s team shows that this malware could also be used to attempt to install or uninstall apps, or to steal other files stored on the smartphone. Jiang’s technical analysis of GoldDream can be found here.
So far, GoldDream has only been found in a few alternative Android markets and forums targeting Chinese-speaking users.