A large number of apps in the Android Market have been found to contain a piece of malware known as DroidDream, a Trojan that not only is able to harvest sensitive data from an infected device, but also can break out of the Android sandbox and download additional malicious code to the phone from remote servers.
The infected apps were discovered and publicized on Tuesday and researchers immediately contacted officials at Google, who responded by removing the malicious apps from the Android Market. However, some researchers reported that tens of thousands of Android owners already had downloaded the malicious apps. The list of apps supposedly infected with DroidDream is long, and includes titles such as Super Guitar Solo, Falling Down, Super History Eraser and others, according to an analysis by researchers at Lookout Mobile Security. The infected apps seemed to be tied to a couple of publishers, including one named Myournet and another called KingMall2010.
Google has the ability to remotely remove apps from Android devices and it has used the functionality in the past to erase apps, including one developed by researcher Jon Oberheide as a proof of concept that was benign. It’s not clear at this point whether Google has started removing any of the infected apps from devices, but the apps have been pulled from the Android Market.
The DroidDream malware has the ability to gather sensitive data, such as the IMEI number and IMSI identifier, and also can download additional code, according to one analysis.
“I asked our resident hacker
to take a look at the code himself, and he’s verified it does indeed
root the user’s device via rageagainstthecage or exploid. But that’s
just the tip of the iceberg: it does more than just yank IMEI and IMSI,” wrote Aaron Gingrich in a post at Android Police.
“There’s another APK hidden inside the code, and it steals nearly
everything it can: product ID, model, partner (provider?), language,
country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.”
An analysis of the DroidDream malware by Kaspersky Lab malware researcher Tim Armstrong showed that it’s quite stealthy and efficient at its tasks.
“So what is the purpose of this Trojan? The application will attempt
to gather product ID, device type, language, country, and userID among
other things, and then upload them to a remote server. Unlike most of
the other samples seen so far, there is no attempt at sending or
receiving premium rate SMS messages,” Armstrong wrote in his analysis of the Android malware.
“This discovery is important because up until now most of the Android
malware has been found outside of the Android Market, which requires a
number of special steps to be taken in order to infect the phones. In
this case, users are even able to install from the web with the new
Android Market format. We have previously talked about this here:
The Dark Side of the new Android Market.”
The Android Market is the official store for apps for Android-powered devices and comprises thousands of free and paid apps. It’s not certain at this point how many users downloaded one or more of the infected apps, but users on Reddit began discussing the problem Tuesday.
“I appreciate being able to publish an update to an app and the update
going live instantly, but this is a bit scary. Some sort of moderation,
or at least quicker reaction to malware complaints would be nice,” one user named Lompolo wrote. “After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://18.104.22.168:8080/GMServer/GMServlet, which seems to be located in Fremont, CA. The apps are also installing another embedded app (hidden as
assets/sqlite.db), “DownloadProvidersManager.apk”. Not sure what it does
yet on top of monitoring what apps the user installs.”