March 1, 2011

Security Alert: DroidDream Malware Found in Official Android Market

Looking for more information on mobile threats like DroidDream? Check out Lookout’s Top Threats resource.

Update: Apps released under the developer names “Kingmall2010″, “we20090202″, and  “Myournet” contain DroidDream and have been suspended from the official Android Market. To date, more than 50 applications have been found to be infected with  DroidDream. See below for the full list of apps.

Update: We originally reported that Google removed the apps from devices, but we recently learned that the remote removal system has not yet been engaged for these applications because they are under active investigation.

Update: We’ve deployed an over-the-air update that protects Lookout users from all known instances of DroidDream.

The Threat

Multiple applications available in the Official Android Market were found to contain malware which could compromise a significant amount of personal data. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream.

Google has already removed all of the apps known to be infected from the Android Market. As Lookout continues to find more malicious applications we will keep you updated.

Lompolo, a user on the popular news aggregation site Reddit, discovered the first instances of this malware after noticing that the developer of one of the malicious applications had posted pirated versions of legitimate apps under the developer name “Myournet.”  In addition to that developer, the Lookout Security Team identified a large number of additional apps from other developers that also contain the DroidDream malware. We’re actively working directly with Google to get these apps removed and will post updates as soon as they are available.

Lompolo analyzed two suspicious applications and found that they contain exploit code that can break out of Android’s application security sandbox.  A blogger at Android Police took a closer look at the malicious applications and verified that they do indeed contain exploit code that can root a user’s device as well code that  can send sensitive information (IMEI and IMSI) from the phone to a remote server.  Android Police also found that there is another APK hidden inside the code, which can steal additional sensitive data.

Lookout will continue to monitor this as more details unfold.  Stay tuned for further updates on this malware.

Who is affected?
Anyone who has downloaded the apps listed above may be affected. If you have downloaded these apps, contact us at support-at-lookout.com.

Full list of infected applications published by “Myournet”:

  • Falling Down
  • Super Guitar Solo
  • Super History Eraser
  • Photo Editor
  • Super Ringtone Maker
  • Super Sex Positions
  • Hot Sexy Videos
  • Chess
  • 下坠滚球_Falldown
  • Hilton Sex Sound
  • Screaming Sexy Japanese Girls
  • Falling Ball Dodge
  • Scientific Calculator
  • Dice Roller
  • 躲避弹球
  • Advanced Currency Converter
  • App Uninstaller
  • 几何战机_PewPew
  • Funny Paint
  • Spider Man
  • 蜘蛛侠

Full list of infected applications published by “Kingmall2010″:

  • Bowling Time
  • Advanced Barcode Scanner
  • Supre Bluetooth Transfer
  • Task Killer Pro
  • Music Box
  • Sexy Girls: Japanese
  • Sexy Legs
  • Advanced File Manager
  • Magic Strobe Light
  • 致命绝色美腿
  • 墨水坦克Panzer Panic
  • 裸奔先生Mr. Runner
  • 软件强力卸载
  • Advanced App to SD
  • Super Stopwatch & Timer
  • Advanced Compass Leveler
  • Best password safe
  • 掷骰子
  • 多彩绘画

Full list of infected apps under the developer name “we20090202″:

  • Finger Race
  • Piano
  • Bubble Shoot
  • Advanced Sound Manager
  • Magic Hypnotic Spiral
  • Funny Face
  • Color Blindness Test
  • Tie a Tie
  • Quick Notes
  • Basketball Shot Now
  • Quick Delete Contacts
  • Omok Five in a Row
  • Super Sexy Ringtones
  • 大家来找茬
  • 桌上曲棍球
  • 投篮高手
80 comments
  1. i will send this to all my friends i hate malware thanks for the good information!

  2. bryan says:

    Lookout, please review current apps and update.

  3. incasso says:

    Thanks for the information I found it to be very helpfull.

  4. john says:

    yeah I have a quick question how do I remove malware of my phone from photo editor I have the AVG virus scan and that’s what it says photo editor

  5. Meghan Kelly says:

    Hi John, sorry you’re having an issue! When Lookout sees a malicious app, we give you the option to remove that app immediately from your device. You can check out our app here: https://www.lookout.com/android

    I would otherwise recommend reaching out to AVG’s support staff!

Leave a comment