The fall of Domino - a preinstalled hostile downloader

Wednesday 30 September 15:00 - 15:30, Green room

Łukasz Siewierski (Google)

Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These software pieces may contain new and exciting features, but sometimes they can also hide complex malware. This talk will deal with a malware family called 'Domino'. Domino was discovered preinstalled on Android devices and distributed as a new operating system component included by device manufacturers. In fact, the malware author added additional code to many Android components - browser, settings and framework. Thanks to these changes Domino was also able to download additional applications and prevent their uninstallation.

Different versions of Domino implemented different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a whole compressed archive with Domino’s source code, notes for the device manufacturers and code comments. This package also includes SELinux policies crafted in a way that allows Domino to persist and run with higher privileges. In addition, we obtained a test application which tried to interact with the Google Play store and seems to be written by the Domino author to test some coding ideas.

The talk will conclude with the analysis of the relationship between Domino and rooting trojans and an analysis of Domino’s complex advertising ecosystem.



Łukasz Siewierski

Łukasz Siewierski is a reverse engineer on the Android Security team at Google, where he takes apart malware and figures out how to stop it from working. Previously he was taking apart security incidents at the .pl domain registry, figuring out how to prevent them from happening in the future. Siewierski likes sharing his knowledge by presenting at conferences, such as Kaspersky SAS, Virus Bulletin or RSA Conference.

Back to VB2020 Programme page

Other VB2020 papers

Unveiling the CryptoMimic

Hajime Takai (NTT Security)

Shogo Hayashi (NTT Security)

Rintaro Koike (NTT Security)

XDSpy: stealing government secrets since 2011

Matthieu Faou (ESET)
Francis Labelle (ESET)

2030: backcasting the potential rise and fall of cyber threat intelligence

Jamie Collier (FireEye)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.