Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These software pieces may contain new and exciting features, but sometimes they can also hide complex malware. This talk will deal with a malware family called 'Domino'. Domino was discovered preinstalled on Android devices and distributed as a new operating system component included by device manufacturers. In fact, the malware author added additional code to many Android components - browser, settings and framework. Thanks to these changes Domino was also able to download additional applications and prevent their uninstallation.

Different versions of Domino implemented different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a whole compressed archive with Domino’s source code, notes for the device manufacturers and code comments. This package also includes SELinux policies crafted in a way that allows Domino to persist and run with higher privileges. In addition, we obtained a test application which tried to interact with the Google Play store and seems to be written by the Domino author to test some coding ideas.

The talk will conclude with the analysis of the relationship between Domino and rooting trojans and an analysis of Domino’s complex advertising ecosystem.