[DesktopECHO]

Yeah only the primary server seems to be on blocklists. The malware uses 3 DNS addresses, all on Linode.

Not that it matters, as the malware uses 8.8.8.8 if it doesn't like the DNS reply -- Then it tries a DNS server on port 5353!

[LinuxBender]

Another thing to look at if you have time is packet characteristics. I have found that many malware and bot installations appear to use really odd network libraries. Just do a tcpdump for a while and see what sticks out, such as missing MSS, really high TTL, missing SackOK, timestamps enabled this seems to be default on Android. Also look at the TCP header sizes vs. the normal TCP header sizes from legit devices on your network.

    tcpdump -i any -p -NNnnt -s0 -c512 proto 6 and 'tcp[13] == 2' # get syn packets, use "-i any" to see direction

I'm not sure where malware authors find their libraries but they do not try at all to look like normal traffic [Edit] or perhaps their government is telling them to add/remove specific options.

[DesktopECHO]

Thanks for the guidance here. Where I'm really stuck is when tcpdump tells me about the presence of the offending traffic and correlating process. In this case, it's the Android "system_server" process and I'm not sure how to find the hook into it that downloads the malware.

In hindsight I should have made this an Ask HN post...

[dylan604]

just reading you comment about differing packets, I was already thinking that seems like a dumb thing to have look different. Then you end with exactly that. Just goes to so that the world is so insecure that even minimal effort will get quite a return in this world. If it gets a big enough return so that even those that do stop it still makes it worth while, then why spend energy trying to do more. Hell, even Bill Gates is attributed to saying something about why should he pay for optimizing when disk space and cpu is always increasing faster than any optimizations could.