The DroidDream gang is back on the Android Market, this time with a stripped-down version of the malware. Google has removed the 26 apps identified so far.
original developers behind DroidDream have added more applications to the
Android Market with a stripped-down version of the original Android malware,
according to a security firm.
total of 26 applications in the official Android Market were found to contain
malware that can steal significant amount of personal data, Lookout
Security said May 30. The new DroidDream Light is a modified version of the
DroidDream that infected over 50 applications back in March. DroidDream Light
is believed to have already affected "between 30,000 and 120,000 users,"
according to Lookout.
Security identified DroidDream Light after a developer noticed that modified
versions of his app and another developer's app were being distributed in the
Android Market under another developer account. Lookout Security Team
identified the malicious code "grafted" into the apps and found similarities between
the new code and the previously analyzed DroidDream samples.
has removed all of the apps known to be infected from the Android Market,
according to Lookout. Five different developer accounts were behind the
infected apps, including Magic Photo Studio, Mango Studio, ET Tean, BeeGoo and
the name, DroidDream Light does not appear to be any less malicious or less
complex than the original DroidDream. In fact, it can be considered more
dangerous as it does not depend on the user to launch the app to execute. It
also collects a lot of information, including the unique IMEI (international
mobile equipment identity) identifier, IMSI (International Mobile Subscriber
Identifier), SDK version, handset model and information about installed
packages on the Android device, Lookout said.
Light is triggered when the "android.intent.action.PHONE_STATE" value
is set, such as when the user receives an incoming phone call, according to
Lookout. While the latest malware is capable of downloading new packages and
prompting users to install them, it differs from DroidDream in that it can't
actually perform the update without the user accepting and approving the update
apps also contained code that could be triggered when users received text
added code will connect to a server and send details about the infected handset
to the malware authors," F-Secure Chief Research Officer Mikko Hypponen wrote.
"So we're talking about a mobile botnet."
discovered and removed 58 apps on the Android Market in early March when
DroidDream first broke on the scene. Google also took the unprecedented step of
using its "remote kill switch," which allowed it to automatically remove the
malicious apps that had already been installed on Android devices. The company
made a number of changes to try to prevent this kind of infection from
need to use "common sense" when installing apps and check the permissions that
newly downloaded apps are requesting, Lookout said. The permissions should
match the features the app provides. For example, one of the infected apps was
supposed to simply display images in a gallery format and "was originally
harmless," according to Hypponen. The malware-infected "Magic Photo Studio"
version requested permission for full Internet access and to be able to read
phone state and identity.
recommends users install a mobile security app that scans every app being
downloaded to ensure it is safe. Lookout, F-Secure and Webroot are just a
handful of companies offering a mobile security app for Android users.