Security researchers today pulled more than 20 apps in the Official Android Market after they were found to have been infected with the DroidDream malware. Analysis of the DroidDream malware suggests that it can gather sensitive data like a mobile device’s IMEI (International Mobile Equipment Identity) number and user ID, break out of Android’s application security sandbox and download additional code. Sounds pretty scary, huh? Sure, but to grizzled security pros, it’s a story that’s also sadly familiar – and a sign of what’s to come in the mobile devices market.
After all, security researchers have been discussing the risk of mobile application malware for some time. I’ve heard of at least one proof concept demonstration on Android (it was benign). Threatpost, among others, has written about the weakness inherant in the AppStore model. And though DroidDream’s capabilities are perhaps novel on Android, they are run-of-the-mill components for modern malware more generally, and especially the ocean of malicious programs targeting devices running versions of Microsoft’s Windows operating system.
There are important differences between PC based malware and the environment in which DroidDream must operate. For one thing, Google has the ability to remotely remove apps from devices running Android, and will presumably
leverage that capability in this case. There have already been multiple instances of rogue mobile apps in the wild (most in Russia andChina), but mobile application malware and the losses associated with it are still a small problem, overall, and mostly confined to so-called SMS Trojans that direct infected phones to send text messages to premium-rate lines outside of the U.S.
But we shouldn’t take too much comfort from the similarities between malicious mobile applications and other kinds of malicious computer programs. Security threats over the past several decades have been shown to follow a well-establish path from theoretical, to practical, to weaponized releases seen in the wild, to proven damage. Sometimes this evolution happens very quickly, in other cases, it takes years to occur – if it ever does. But the stages are well established and security veterans have learned to watch them as a way of gauging theoretical risk vs. real and present danger (that warrants spending real money to defend against).
From this perspective, DroidDream is interesting because it represents an escalation of risk: the first time that clearly malicious (versus merely suspicious) applications have wound up on the official Android Market. DroidDream’s capabilities aren’t revolutionary, but they are a clear step up for mobile malware. Notably: DroidDream has the
ability to download additional code once it has infected its host, meaning that Google’s application removal feature alone will not be
sufficient to protect victims whose phones are already rooted. In short: DroidDream is a professional job: stealthy with multiple functions including the ability to gather valuable data and enhance its capabilities.
DroidDream is evidence (if we needed it) that we’ve failed to learn the lessons of the past in our haste to build out a broader mobile ecosystem. The result is that we risk suffering the same fate, but on an even broader and more global scale.
Ted Julian is a Principal Analyst in Yankee Group’s Anywhere Network Research Group and a frequent contributor to Threatpost. Ted leads Yankee’s research in the area of network intelligence. Follow him on Twitter and read his blog.