Google Removes 26 Apps with DroidDream Light Malware from Android Market

The original developers behind DroidDream have added more applications to the Android Market with a stripped-down version of the original Android malware, according to a security firm.

A total of 26 applications in the official Android Market were found to contain malware that can steal significant amount of personal data, Lookout Security said May 30. The new DroidDream Light is a modified version of the DroidDream that infected over 50 applications back in March. DroidDream Light is believed to have already affected “between 30,000 and 120,000 users,” according to Lookout.

Lookout Security identified DroidDream Light after a developer noticed that modified versions of his app and another developer’s app were being distributed in the Android Market under another developer account. Lookout Security Team identified the malicious code “grafted” into the apps and found similarities between the new code and the previously analyzed DroidDream samples.

Google has removed all of the apps known to be infected from the Android Market, according to Lookout. Five different developer accounts were behind the infected apps, including Magic Photo Studio, Mango Studio, ET Tean, BeeGoo and DroidPlus.

Despite the name, DroidDream Light does not appear to be any less malicious or less complex than the original DroidDream. In fact, it can be considered more dangerous as it does not depend on the user to launch the app to execute. It also collects a lot of information, including the unique IMEI (international mobile equipment identity) identifier, IMSI (International Mobile Subscriber Identifier), SDK version, handset model and information about installed packages on the Android device, Lookout said.

DroidDream Light is triggered when the "android.intent.action.PHONE_STATE" value is set, such as when the user receives an incoming phone call, according to Lookout. While the latest malware is capable of downloading new packages and prompting users to install them, it differs from DroidDream in that it can’t actually perform the update without the user accepting and approving the update requests.

The apps also contained code that could be triggered when users received text messages, F-Secure researchers found.

“The added code will connect to a server and send details about the infected handset to the malware authors,” F-Secure Chief Research Officer Mikko Hypponen wrote. “So we're talking about a mobile botnet.”

Google discovered and removed 58 apps on the Android Market in early March when DroidDream first broke on the scene. Google also took the unprecedented step of using its “remote kill switch,” which allowed it to automatically remove the malicious apps that had already been installed on Android devices. The company made a number of changes to try to prevent this kind of infection from happening again.

Users need to use “common sense” when installing apps and check the permissions that newly downloaded apps are requesting, Lookout said. The permissions should match the features the app provides. For example, one of the infected apps was supposed to simply display images in a gallery format and “was originally harmless,” according to Hypponen. The malware-infected “Magic Photo Studio” version requested permission for full Internet access and to be able to read phone state and identity.

Lookout recommends users install a mobile security app that scans every app being downloaded to ensure it is safe. Lookout, F-Secure and Webroot are just a handful of companies offering a mobile security app for Android users.