DroidDreamResearchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market.

There are at least 34 applications that researchers have found in the Android Market in the last few days that had a version of the DroidDream malware dropped into them. Once a user installs one of the infected applications, the malicious component, which researchers have dubbed DroidDream Light, will kick in once the user receives an incoming call. The malware then gathers some identifying information from the phone, including its IMEI number, IMSI number, packages installed and other data, and then sends it off to a pre-configured remote server.

There are apparently six developers whose apps have been infected with DroidDream Light in the last few days.

“Malicious components of DroidDream Light are invoked on receipt of a
 android.intent.action.PHONE_STATE intent (e.g. an incoming voice
call).  DroidDream Light is not, therefore, dependent on manual launch
of the installed application to trigger its behavior.  The broadcast
receiver immediately launches the <package>.lightdd.CoreService
which contacts remote servers and supplies the IMEI, IMSI, Model, SDK
Version and information about installed packages.  It appears that the
DDLight is also capable of downloading and prompting installation of new
packages, though unlike its predecessors it is not capable of doing so
without user intervention,” researchers at Lookout Mobile Security wrote in an analysis of the new version of the malware.

The list of infected apps includes:

    Floating Image Free
    System Monitor
    Super StopWatch and Timer
    System Info Manager
    Call End Vibrate
    Quick Photo Grid
    Delete Contacts
    Quick Uninstaller
    Contact Master
    Brightness Settings
    Volume Manager
    Super Photo Enhance
    Super Color Flashlight
    Paint Master
    Quick Cleaner
    Super App Manager
    Quick SMS Backup
    Tetris
    Bubble Buster Free
    Quick History Eraser
    Super Compass and Leveler
    Go FallDown !
    Solitaire Free
    Scientific Calculator
    TenDrip

This is the second major incident involving DroidDream-infected apps in the Android Market. In March, Google pulled another large batch of infected apps from the market and later remotely removed from the devices of users who had downloaded them. It’s not clear whether Google will use that capability again, but the company has not been shy about doing so in the past when malicious apps have been identified in the Android Market.

Categories: Malware, Social Engineering