This part of Georgia Weidman’s presentation is dedicated to the malicious side of Android rooting, vividly exemplified by the infamous DroidDream app.We are going to look at some evil ideas for rooting Android. Anybody remember this guy? (See image) DroidDream made a huge media splash because researchers like me and you had been saying for a long time, you know: “Anybody can put anything they want in the official Google Marketplace, so it’s really only a matter of time before something evil shows up there.” And of course everyone was like: “No, that will never happen, you’ll never get malware into the Google Marketplace.”
And then DroidDream showed up, the first known outbreak in the Google Marketplace. It rooted your phone, stole your information and did all sorts of crazy evil, and it was just sitting there in the Google Marketplace waiting for you to download, whereas every previous outbreak had been in some third-party market that had a lot of Chinese characters in it; and really, if you downloaded it you kind of deserved it, right? I mean, you couldn’t even read what it said.
But this looks normal. This was inside of the official Store that all end users were basically paying to use by buying an Android device, so they had some reason to believe this would be a safe place for them to find applications.
But because there is absolutely no oversight of all these applications – there’s millions of them, this would take time, this would take effort. iPhone users always complain that it takes so long to get updates into the store or get your apps, in the first place, into the Store, so the idea that things going to Google Store automatically was awesome and people loved it.
But then stuff like this started to happen. But now, of course, if you get DroidDream, since it’s old, Lookout or any other antivirus program will flag it and say something like: “This is DroidDream; you do not want to install this.” But of course at the time when this first came to light, this was not the case; it just looked like a normal application.
What should have tipped some people off is how few permissions DroidDream actually asked for, comparatively to normal applications. We just looked at the normal non-malicious application Facebook that wanted this long, long list of permissions. Droid Dream actually only asked for 4, which might have tipped some people off that something was up here, because you’ll never find an app that only asks for 4 permissions, never. They always have, like, 10 or 12 scary-looking things.So, it wanted access to the Internet – normal one there, apps want access to the Internet, that doesn’t scare me. It wanted to read the phone state, so it wanted the IMEI – that’s bad, but it’s prevalent, a lot of apps ask for it, so it wouldn’t tip anybody off that anything was wrong here. Basically, it’s probably checking in to the server using the IMEI to uniquely identify you. A lot of the DroidDream variants were games, so that would be how you’re checking your scores, this is normal for Android; definitely not a good idea, but it happens.
And then, the other 2 it wanted: it wanted to be able to change the Wi-Fi state and access the Wi-Fi state. So, theoretically, it just wanted to be able to make sure that you’re on the Wi-Fi before it sent things. So, wow, this app’s really looking out for me, it doesn’t want to run up data charges for me, it’s only going to check in when it’s on the Wi-Fi.
No, that’s actually not what it was doing at all. One of the roots it uses actually requires you to change the Wi-Fi state, like, basically, toggle it on and off before the shell hits, so that was actually malicious. But looking at those, it doesn’t look that scary compared to most apps.
I as an Android researcher, just looking at this list of permissions, would think: “That’s a really small amount of permission coverage; that’s not really that scary at all compared to most apps.” But this was actually one of the scariest apps of all.So, how does this actually work? Basically, when you downloaded DroidDream you saw something like this (see image). There were many variants of it, some of them were, for instance, adult dating sites, adult videos, which some people say: “I should use that as the demo,” but we’re actually looking at one called ‘Bowling Time’, which is just you play bowling on your phone and try knocking down all the pins. Pretty boring, comparatively to the adult sites, of course.
But then in the background, behind all of this, was where all the evil happened. Basically, when DroidDream would start, it would copy a bunch of normal apps like this that even had nice ads: you see, there’s ads up there, you know. Apps with ads – those are never scary, because they are paying their dues to advertisers.
But it would start the regular app in the foreground, so it would call it to start – just, basically, steal the straight-up source code from the original app, send it off to make it appear on your phone, and then do evil things in the background. So users would be none the wiser that this was any different than the original app.And then it would root you in the background. You hadn’t downloaded anything and told it to root you – it just did. Upon install, when it started, it automatically tried to root exploits, which at the time were unpatched on all the phones. By the time DroidDream hit the news area, this had been updated on official Google phones, but most phones had not had it pushed out to them yet, so this was basically 0-day for the entire time of DroidDream.
So, if you installed the DroidDream app, you were going to get hit by one of these, because it not only tried one, but it tried two, and these were the same ones that the rooting applications were also trying. Oddly enough, I looked at the source code of DroidDream, I looked at the source code of Z4Mod, and I’m pretty sure DroidDream basically just copied their source code, because it’s even got the same variable names. So the source code was out there and the DroidDream writers copied it, put it in their app and went on their merry way with it. That’s how it happens, I guess.
So, what did DroidDream do after it rooted you if one of those two roots actually worked? And, again, they worked basically 0-days for most phones even up until the end, because people hadn’t been updated, they hadn’t had patches pushed to them by the time it hit the media, unless you were at that point a Nexus One, because it was the only one out then. So, unless you were a Nexus One, you were in trouble through the entirety of the DroidDream’s time on the marketplace.
It rooted your phone against super user permissions; it could write to the entire disk, including the system partition, which is where apps that are installed at, like, the base installs by your carriers are; and, theoretically, no one else should be able to write there. But of course, if you root, you can write wherever you want.
It also installed packages as system, and at that point the permission model completely broke down. There are permissions that you can ask for as system that you would not even dream of as a developer: you can do anything you want there, you have complete control of the phone. And now DroidDream has that as well. So it has access to everything at once: it stole your personal information, it ran up your phone bill, sent it out to the C&C server. It suddenly had access to every permission available. That’s rooting your phone: permission model – gone.This brings us back to these guys (see image). Again, I’ve read the source code of both of these, non-evil, they give you your super user, and then they go away. But, for instance, you’re looking for Z4Mod and you spell it with 2 O’s, and you end up on a website that has something that looks a lot like this; I mean, it can get the source code so it can pretend to be this, but it isn’t. It actually does root your phone; you come out of it with super user permissions, so you as a user are happy, you got what you wanted. But what happened in the background? You have no idea because it’s all going to go on behind the scenes.