Android Malware DroidDream: How it Works

Yesterday, Google pulled more than 50 apps from the Android Market after they were found to contain the Android malware dubbed DroidDream. Similar to previous instances of Android malware that have been found on alternative Android app markets, the authors of DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware—a growing trend in mobile threats. We also discovered that these apps were placed in alternative app markets in addition to the Android Market.

The Lookout Security Team did a deep analysis of the DroidDream malware present in one of the infected applications, Bowling Time. Below we’ve included details on how the first phase of the malware works when installed on a phone. We are continuing to analyze DroidDream in more detail and will update this post with additional results.

In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server. The sensitive data includes:

  • IMEI
  • IMSI
  • Device Model
  • SDK Version

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it. Continue reading…

Related Posts

Controlling a Computer With Thoughts? Researchers at the University of Pittsburgh have been awarded funding for two projects that will place brain-computer interfaces (BCI) in patients wit...
Publishers Force Domain Seizure of Public Domain Music Resource IMSLP, the largest public domain music library on the Internet, has just suffered a damaging attack on the site’s infrastructure. In a wrongful action...
Does disk encryption really protect your data from unauthorized access? Disk encryption is one of several physical security measures that could be used to protect data on your computer from unauthorized physical access. An...
Social Media and Law Enforcement: Who Gets What Data and When? This month, we were reminded how important it is that social media companies do what they can to protect the sensitive data they hold from the pryin...
The Android Monopoly and how to harness it From an underdog to ubiquitous manufacturer support, the Android platform has come a long way since its introduction in 2008. Almost every single devi...
Steer clear of Android Market and its DRM Google recently made headlines after they identified some malware being distributed through the Android Market. Not only did they stop distributing t...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.

Leave a Comment

Your email address will not be published. Required fields are marked *