Android DreamDroid two: rise of laced apps

By Liam Tung on Jun 1, 2011 6:29 AM
Filed under Security

DreamDroid Light hits up to 130,000.

A smartphone security firm claims to have found 26 legitimate Android apps that had been laced with malware.

The once-legitimate applications were modified to include what researchers from security firm Lookout called a “stripped down version” of DreamDroid, which it dubbed DreamDroid Light.

The malware is activated by an incoming call, according to Lookout’s spokesperson, Tim Wyatt, which meant that users would not have to launch the application to trigger its behaviour.

Lookout has estimated the applications have been installed on 30,000 to 120,000 devices.

Like its predecessor, the tainted application sends identifiers (IMEI/IMSI) to the malware's distributors, however DreamDroid Light would require user-interaction to steer its way through an update.

Google has removed the program while it investigates the claim, according to Forbes security blogger, Andy Greenberg.

Lookout discovered the malware after a developer had alerted it to a modified version of one of his apps, which was being distributed on Google's Android Market.

“Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analysed DreamDroid samples,” wrote Wyatt.

A list of the affected apps, which ranged from “hot girls” to systems monitoring tools, can be found on Lookout’s website.

One of the apps, Hot Girls 1, had the capacity to create a “mobile botnet”, according to F-Secure chief researcher, Mikko Hypponen.

In that instance, receiving a text message will activate malicious components of the app.

“The added code will connect to a server and send details about the infected handset to the malware authors. So we're talking about a mobile botnet,” he said.

Android DreamDroid two: rise of laced apps

3 comments in this discussion

"It doesn't have to trigger a 3rd party app. The 3rd party app can just be running in the background (android has true multi-tasking capabilities compared to the iphone) and if the app has been ..."

By Desk

Tags

android, lookout, mobile, security, smartphone, google, fsecure, botnet

Google unveils three Nexus devices

Android malware spikes in 2012

Aussie smartphone users can log signal woes

Google controls too much of China's smartphone sector

Breaking Stories

Alacer Gold turns ERP refit project to Australia

NSW Govt bids for self-service analytics

NSW Police take aim at 3D-printable guns

Google faces new federal antitrust probe

US ISP to rip out Huawei equipment

Readers of this article also read...

Comments: 3

BaysNet Jun 1, 2011 8:30 AM	As the castle and moat IT security model is broken by BYO devices and mobile computing mobile device management now needs to be a priority for IT security spend as this is now the weakest link for many organisations who can't manage, monitor or control their mobile users internet connectivity to corporate data. If the CEO's android phone is compromised so is the company.
greg.cordes Jun 1, 2011 12:27 PM	Does anyone know whether this malware exploits an operating system vulnerability, or does Android by design allow 3rd party code execution when the device receives an incoming call or text? If by design, perhaps fair enough as I can certainly imagine a number of useful applications, but the security trade-off is concerning. I'd also be interested to know whether other popular smartphone operating systems permit an incoming call/text to trigger a 3rd party app.
Desk Jun 1, 2011 5:12 PM	It doesn't have to trigger a 3rd party app. The 3rd party app can just be running in the background (android has true multi-tasking capabilities compared to the iphone) and if the app has been given permissions to check incoming calls and messages it will have access when and who an incoming call is coming from.