We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,230 News Articles

DroidDream authors again pollute Android Market

More than 30,000 Android users have inadvertently downloaded and installed a malicious program written by the same group that created DroidDream, according to mobile-security software maker Lookout.

At least 34 pirated applications posted to Google's Android Market under six different names included a stripped down version of the DroidDream malware that infected more than a quarter million phones in March, the company says. The firm first identified the malware after being notified by a developer whose application had been pirated and turned into a Trojan horse for delivering the latest version of the malicious code.

"These apps contained malware that is substantially similar to DroidDream but have a little less functionality in that it didn't root devices," says Kevin Mahaffey, chief technology officer for Lookout. "Given the evidence that it is the same code in all of these apps, it would be nearly impossible for different people to independently create all of these things."

In March, Google pulled more than 50 Trojan applications from the Android Market after Lookout found them all to be infected with DroidDream, a malicious program that attempted to gain privilege access on the host device. If it gained root access, DroidDream would send phone-specific information -- such as the hardware, software and service identifiers -- to a command-and-control server, after which the infected phone could download additional functionality.

The more recent program, dubbed DroidDream Lite (DDLite) by Lookout, also sends identification information -- such as the software and service IDs as well as a full list of applications on the vicitm's device -- to a command-and-control server. Yet, while it has functions to download and update the software, the code cannot install the update without user intervention, the company says.

While the command-and-control server was still online Tuesday, the hubs typically get taken down very quickly after the attacks are outed, says Mahaffey.

Google has removed the applications from the Android Market pending an investigation into the functionality. It has not yet remotely removed the programs from affected devices, Mahaffey says.

"Some people ask, 'Why haven't they pulled them from devices?'" he says. "It's good that Google is preventing anyone from downloading the applications, but they wield their remote removal tool very carefully."

The outbreak affected less than half of the users infected with the original DroidDream, according to Lookout's numbers. People who have installed an application hosting DDLite on their phone can uninstall it with no side effects, Mahaffey says.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.


IDG UK Sites

OnePlus Two release date rumours: Something's happening on 22 July

IDG UK Sites

13in MacBook Air review, Apple's MacBook Air 2014 reviewed

IDG UK Sites

5 reasons to buy an electric car and 5 reasons not to

IDG UK Sites

Just graduated? Learn all you need to know to kickstart your career in our Creative Graduate Guide