Lookout Mobile Security has deciphered the DroidDream malware that managed to infect numerous apps on the Android Market. Google has taken action to deal with DroidDream, but the risk of infection is still there given the wide diversity of the Android ecosystem.
A close look at the malware — which was found in 58 now-deleted apps on the Android Market — shows that criminal hackers are coming up with more ways to attack mobile devices. Users had better be more careful and install protections for their phones or they may risk running into the same kind of cyber attacks that are prevalent on the PC. And mobile companies had better beef up their security or face rising liability risks as the cybercriminals attack.
Lookout, which produces a mobile security app, says that the DroidDream malware is a powerful “zombie agent” which can install any applications silently and execute code with root privileges (basically do anything on a phone) at will. Lookout says DroidDream is the first piece of Android malware that uses an exploit, or known vulnerability, to gain access to the phone’s system code. It can take substantial control of a phone and it generally operates while the user is likely to be sleeping: from 11 pm to 8 am. That means the malware is cleverly written so that the user won’t notice something strange with the phone.
“We’ve concluded that its purpose is to download additional applications and install them silently as system applications on the device,” Lookout said. “The first phase of the malware served to gain root access on the device while the second phase predominantly serves to maintain a connection to the server to download and install other files.”
Once in place, the malware sends the following information to its server: product identification, the partner who makes the phone, IMSI (a unique identification associated with a user), IMEI (a unique identification associated with a mobile phone), the model and software version, and the user identification (though this is evidently not fully implemented on the malware).
Google patched the two vulnerabilities (exploid and rageagainstthecage) used by DroidDream with the Android version 2.3 (code-named Gingerbread). But not everyone has the updated software on their phones. The DroidDream software uses those vulnerabilities to break out of the security container within the Android operating system. That allows it to then install a second application on the device. Once that app is installed, the malware can send sensitive information (mentioned above) to a remote server. It can also download other apps onto the infected device.
Google said on Saturday that it will attempt to “remote kill” the infected apps on users’ phones from afar. It has also deleted all infected apps from the Android Market. But it can only communicate the need to do that to carriers that have their own alternative Android marketplaces. Lookout says its own free security software will be able to detect and delete DroidDream on a user’s phone. Lookout also says that users should not perform a “factory reset” in hopes of wiping the DroidDream off the phone.