The Android "GoldDream" Malware Server is Still Alive

Many anti-virus vendors have reported on and dissected the suspicious and malicious Android "GoldDream" malware threat. The C&C server (lebar.gicp.net), which hosts this malware, has been revealed in many articles. But, to our surprise, this C&C server is still alive after several months and is still serving users with "GoldDream" malware. Currently, only Websense® ThreatSeeker® Network has blocked the malware server sites, out of the 19 vendors listed by VirusTotal!  

The malware site mainly targets users in China, masquerading as a normal Android apps distribution site. The site makes use of a fake certificate and registration information to lure more customers, and is placed at the bottom of the listed app sites in a bid to advertise itself as a good reputation site. 

We have analyzed all the available free Android apps on the site (23 in total). 18 of these apps contain "GoldDream" malware. These are normal game apps which are re-packaged to include malicious code. Although we have not analysed the paid apps, we believe they are highly suspicious. These "GoldDream" malware apps have the following malicious behaviors: 

• calling a phone number
• sending an SMS
• deleting a package on the device
• installing a package on the device
• uploading person information to the remote web server
• log user's activity and uploading to the remote web server 

We strongly suggest that users refrain from downloading and installing apps from untrusted 3rd party sources. And, if you need to, please scan the app before you install it.

Websense customers are protected from these threats by ACETM, our Advanced Classification Engine. Additional mobile security features are available from our Mobile Security Solution.