We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

DroidDream authors again pollute Android Market

More than 30,000 Android users have inadvertently downloaded and installed a malicious program written by the same group that created DroidDream, according to mobile-security software maker Lookout.

At least 34 pirated applications posted to Google's Android Market under six different names included a stripped down version of the DroidDream malware that infected more than a quarter million phones in March, the company says. The firm first identified the malware after being notified by a developer whose application had been pirated and turned into a Trojan horse for delivering the latest version of the malicious code.

"These apps contained malware that is substantially similar to DroidDream but have a little less functionality in that it didn't root devices," says Kevin Mahaffey, chief technology officer for Lookout. "Given the evidence that it is the same code in all of these apps, it would be nearly impossible for different people to independently create all of these things."

In March, Google pulled more than 50 Trojan applications from the Android Market after Lookout found them all to be infected with DroidDream, a malicious program that attempted to gain privilege access on the host device. If it gained root access, DroidDream would send phone-specific information -- such as the hardware, software and service identifiers -- to a command-and-control server, after which the infected phone could download additional functionality.

The more recent program, dubbed DroidDream Lite (DDLite) by Lookout, also sends identification information -- such as the software and service IDs as well as a full list of applications on the vicitm's device -- to a command-and-control server. Yet, while it has functions to download and update the software, the code cannot install the update without user intervention, the company says.

While the command-and-control server was still online Tuesday, the hubs typically get taken down very quickly after the attacks are outed, says Mahaffey.

Google has removed the applications from the Android Market pending an investigation into the functionality. It has not yet remotely removed the programs from affected devices, Mahaffey says.

"Some people ask, 'Why haven't they pulled them from devices?'" he says. "It's good that Google is preventing anyone from downloading the applications, but they wield their remote removal tool very carefully."

The outbreak affected less than half of the users infected with the original DroidDream, according to Lookout's numbers. People who have installed an application hosting DDLite on their phone can uninstall it with no side effects, Mahaffey says.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.


IDG UK Sites

iPad Air 2 release date, price, specs, new features: world's thinnest tablet also gets Touch ID

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Will Photoshop work with Yosemite? And will Illustrator, After Effects, Premiere Pro or the other A?......

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...