Android Malware DroidDream: How it Works

Yesterday, Google pulled more than 50 apps from the Android Market after they were found to contain the Android malware dubbed DroidDream. Similar to previous instances of Android malware that have been found on alternative Android app markets, the authors of DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware—a growing trend in mobile threats. We also discovered that these apps were placed in alternative app markets in addition to the Android Market.

The Lookout Security Team did a deep analysis of the DroidDream malware present in one of the infected applications, Bowling Time. Below we’ve included details on how the first phase of the malware works when installed on a phone. We are continuing to analyze DroidDream in more detail and will update this post with additional results.

In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server. The sensitive data includes:

  • IMEI
  • IMSI
  • Device Model
  • SDK Version

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it. Continue reading…

Related Posts

ISP Cannot Be Forced To Block Copyright Infringing Files An advisor to the European Court of Justice has said that an ISP involved in a long-running file-sharing dispute cannot be forced to block or filter c...
Android Vulnerability: Use Precaution on Public WiFi Yesterday, researchers from Germany’s University of Ulm reported that some Android applications transmit sensitive authentication data without properl...
Protect the API Keys to your Cloud Kingdom API keys to become first class citizens of security policies, just like SSL keys Much lip service is paid to protecting information in the Cloud, b...
Supreme Court to Decide Standard for Proving Invalidity of a Patent Today the U.S. Supreme Court agreed to hear Microsoft’s appeal in a case that could make it easier to invalidate a patent. If successful, Microsoft...
Copyright Is Like QWERTY: Locked-In and Retrospective The term ‘path dependence’ is generally used to describe the development of technological standards and how they ‘lock in’ a given technical solution....
FSF position on GPLv2 & current App Store terms This was written by Brett smith on the VLC development mailing list. Brett is the Licensing Compliance Engineer with the Free Software Foundation: Sal...

We Recommend These Vendors

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).


Leave a Comment

Your email address will not be published. Required fields are marked *

*