Researchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market.
There are at least 34 applications that researchers have found in the Android Market in the last few days that had a version of the DroidDream malware dropped into them. Once a user installs one of the infected applications, the malicious component, which researchers have dubbed DroidDream Light, will kick in once the user receives an incoming call. The malware then gathers some identifying information from the phone, including its IMEI number, IMSI number, packages installed and other data, and then sends it off to a pre-configured remote server.
There are apparently six developers whose apps have been infected with DroidDream Light in the last few days.
“Malicious components of DroidDream Light are invoked on receipt of a
android.intent.action.PHONE_STATE intent (e.g. an incoming voice
call). DroidDream Light is not, therefore, dependent on manual launch
of the installed application to trigger its behavior. The broadcast
receiver immediately launches the <package>.lightdd.CoreService
which contacts remote servers and supplies the IMEI, IMSI, Model, SDK
Version and information about installed packages. It appears that the
DDLight is also capable of downloading and prompting installation of new
packages, though unlike its predecessors it is not capable of doing so
without user intervention,” researchers at Lookout Mobile Security wrote in an analysis of the new version of the malware.
The list of infected apps includes:
Floating Image Free
Super StopWatch and Timer
System Info Manager
Call End Vibrate
Quick Photo Grid
Super Photo Enhance
Super Color Flashlight
Super App Manager
Quick SMS Backup
Bubble Buster Free
Quick History Eraser
Super Compass and Leveler
Go FallDown !
This is the second major incident involving DroidDream-infected apps in the Android Market. In March, Google pulled another large batch of infected apps from the market and later remotely removed from the devices of users who had downloaded them. It’s not clear whether Google will use that capability again, but the company has not been shy about doing so in the past when malicious apps have been identified in the Android Market.