Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These add-ons may contain new and exciting features, but sometimes they also hide complex malware. This talk will deal with a malware family called ‘Domino’.

Domino was discovered preinstalled on certain Android devices and distributed as a new operating system component on a small fraction of different phone brands, all of them low-cost devices running Android 7 or lower. On these devices, the malware author added additional code to many Android components – such as the default browser, the Settings app and the Android framework – which allows Domino to use system privileges to download additional applications later on and prevent their uninstallation by the user.

Different versions of Domino implement different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral IDs. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.

Rather unusually, we were able to obtain a compressed archive with Domino’s source code, including code comments and notes for manufacturers on how to embed Domino on their devices. Additionally, this archive includes SELinux policies crafted to allow Domino to persist and run with elevated privileges. We also obtained a test application which tried to interact with the Google Play store in order to test referral substitution and seems to be written by the Domino author to test some coding ideas.