Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This malicious program affects mobile devices running the Android operating system. It can give a remote hacker access to your mobile device.
This threat might be bundled with clean applications.
Threat behavior
Installation
TrojanSpy:AndroidOS/DroidDream.A can be downloaded from the Internet.
Upon installation, it displays the following text on the device, outlining its capabilities:
<
Payload
Steals information
TrojanSpy:AndroidOS/DroidDream.A is capable of the following:
Accessing the Internet
Accessing your device's SD card (including modifying and deleting the card contents)
Toggling the Wi-Fi on and off
Modifying the device's settings and system files
Gaining highest privilege on the device's operating system
Downloading other potentially malicious files into the device
TrojanSpy:AndroidOS/DroidDream.A also contains the following exploit code:
rageagainstthecage
exploid
Both are detected as Exploit:Unix/Lotoor, and can allow a remote attacker to gain administrator privilege to the underlying operating system of the mobile device. It also contains the following file, which is also detected as TrojanSpy:AndroidOS/DroidDream.A:
sqlite_db
When installed, this file can steal the following information stored in the device and send the information to the remote address 184.105.245.17:
IMEI
IMSI
Model
ProductId
Partner
Language
Country
UserId
It is also capable of downloading other potentially malicious files into the device and can execute SQL commands. Analysis by Marianne Mallen