The fall of Domino – a preinstalled hostile downloader

Łukasz Siewierski (Google)
live only
17:00 UTC on Day 1
WEDNESDAY 30 SEPTEMBER
Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These software pieces may contain new and exciting features, but sometimes they can also hide complex malware. This talk will deal with a malware family called 'Domino'. Domino was discovered preinstalled on Android devices and distributed as a new operating system component included by device manufacturers. In fact, the malware author added additional code to many Android components - browser, settings and framework. Thanks to these changes Domino was also able to download additional applications and prevent their uninstallation.

Different versions of Domino implemented different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a whole compressed archive with Domino’s source code, notes for the device manufacturers and code comments. This package also includes SELinux policies crafted in a way that allows Domino to persist and run with higher privileges. In addition, we obtained a test application which tried to interact with the Google Play store and seems to be written by the Domino author to test some coding ideas.

The talk will conclude with the analysis of the relationship between Domino and rooting trojans and an analysis of Domino’s complex advertising ecosystem.
Łukasz Siewierski
Google Łukasz Siewierski is a reverse engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future. Siewierski likes sharing his knowledge by presenting at conferences, such as Kaspersky SAS, Virus Bulletin or RSA Conference.
arrow left Back

The fall of Domino – a preinstalled hostile downloader

17:00 - 17:30 UTC Wed 30 Sept 2020
Łukasz Siewierski (Google)
Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These software pieces may contain new and exciting features, but sometimes they can also hide complex malware. This talk will deal with a malware family called 'Domino'. Domino was discovered preinstalled on Android devices and distributed as a new operating system component included by device manufacturers. In fact, the malware author added additional code to many Android components - browser, settings and framework. Thanks to these changes Domino was also able to download additional applications and prevent their uninstallation.

Different versions of Domino implemented different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a whole compressed archive with Domino’s source code, notes for the device manufacturers and code comments. This package also includes SELinux policies crafted in a way that allows Domino to persist and run with higher privileges. In addition, we obtained a test application which tried to interact with the Google Play store and seems to be written by the Domino author to test some coding ideas.

The talk will conclude with the analysis of the relationship between Domino and rooting trojans and an analysis of Domino’s complex advertising ecosystem.
Łukasz Siewierski
Google Łukasz Siewierski is a reverse engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future. Siewierski likes sharing his knowledge by presenting at conferences, such as Kaspersky SAS, Virus Bulletin or RSA Conference.