DroidDream, a malicious program that targets Android devices, received a major overhaul, and now contains more features for stealing data and phishing the owners of compromised Android phones and tablets, according to a Trend Micro researcher.
The latest update to the DroidDream malware, which Trend has labeled “ANDROIDOS_DORDRAE.N” is spreading over third party mobile application Web sites, mostly in China. Building on earlier versions of the DroidDream malware, it includes expanded information theft capabilities, allowing remote attackers to siphon off SMS messages, call logs, mobile contact lists and information related to Google accounts that may be stored on the compromised Android device, according to a post on Trend’s research blog.
Like earlier versions of DroidDream, it comes bundled with legitimate-seeming Android applications, including battery monitoring and task listing applications, and steals detailed information about the compromised device, including its unique device identifier. The information collected is collected, encrypted, packed and uploaded to a Web-based server that the attackers control.
In an indication that the worlds of PC- and mobile malware are converging, the new DroidDream variant has a feature to check if the phone has been previously infected, and the ability to install and uninstall packages if the device is rooted. Though those features aren’t used in the latest variant, it suggests that the Droiddream authors are anticipating having to compete for supremacy on mobile devices with other malware. That’s common for Windows and PC-based viruses, but less common in the much smaller world of mobile malware.
This isn’t the first time DroidDream has had an overhaul. In August, Trend researchers wrote about another variant, NickSpy, that added more sophisticated command and control functionality to the DroidDream malware, though security researchers are divided over whether NickSpy is truly a DroidDream variant, as Trend contends.
DroidDream was first discovered in February after infected applications were spotted in the Android Marketplace. Google responded quickly, removing the infected applications. However, DroidDream has reappeared in the Marketplace since then, bundled with different software. Security experts have cited Google’s hands-off approach to its Android Application Marketplace as part of the reason that DroidDream has proven so persistent, though there’s no evidence that the latest variant is spreading over Google’s application store.
