March 31, 2011
Over breakfast at CTIA last week, I was asked to join the folks over at Android Guys and Android Gals on their weekly Thursday evening radio show which covers all things Android. Tonight, I’ll be Video Skyping in for a chat with the team. We’ll be discussing events that took place at CTIA, chatting about what’s the latest at Lookout and even explaining some of the mobile security threats we’ve seen lately. I’ll be joined by all their esteemed hosts: Ray Walters, Aaron Kasten, Benji Hertel, Stacie Nuss, and guest Drew Dauffenbach.
To listen to the show tune into http://www.streamly.tv/live/ at 7 p.m. PT. I’ll be on the show promptly when it starts at 7.
I’m really looking forward to it, and I hope to see you there!
March 24, 2011
Several members of the Lookout team made the trek to Orlando this week to join thousands of members of the wireless industry at CTIA. While there, Jon Fortt from CNBC pulled our CEO, John, aside for a long conversation about smartphone security. Take a moment to enjoy!
Lookout: Mobile Security Startup
March 22, 2011
This morning Amazon officially released the Amazon Appstore for Android. From the Amazon.com website, you’ll see a new menu option for Android apps. We’re pleased to have the Lookout app highlighted right on the homepage under Productivity. With this new app store for Android users, here are some of the highlights:
- Amazon’s Free App-of-the-Day. Like a Groupon for mobile apps, Amazon will feature one premium application every day that it will give away for free on their Appstore. This will give users a reason to come back and check the store frequently.
- Recommendation engine. When you shop on Amazon, you already see all the additional products that Amazon “recommends” for you. You will now be able to see apps in that list as well. So if you are buying a camera, you might also be recommended a photo sharing app.
- Test-Drive applications. For some apps, you will be able to preview an app using an emulator (a system that simulates a phone but appears on your computer screen) to “test drive” it before you download the app.
In order to download apps from Amazon, you will need to go under Application Settings on your phone and check the box that says, “Unknown Sources: Allow installation of non-Market applications.” There are some carriers and devices that will not have this option, but most are moving toward allowing this.
For Android users, the new Amazon Appstore brings a new level of choice when it comes to downloading apps. And more choice is what people love about Android. We’re excited to see what else is in store with the Amazon Appstore.
March 20, 2011
Earlier this week we discovered a Chinese language app available for download on alternative Chinese app markets that has the ability to root an Android device, leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities, contains a binary called zHash that attempts to root a device using the exploid exploit to break out of the Android security container – one of the same exploits used by the author(s) of DroidDream. It then leaves a backdoor root shell with the file name “zHash”, in the /system/bin directory.
There was also a version of this app available in the Android Market (same application package). However, while that version did contain the same zHash exploit binary, it did not contain the code required to to invoke the exploit. However, the existence of the zHash binary leaves those phones vulnerable to future exploits. Google has removed the application from the Android Market, and has exercised the remote application removal feature to delete it from users’ phones. This only affects versions of the app downloaded through the Android market, and will not remove versions downloaded from alternative Chinese markets.
The app’s use of the backdoor shell is extremely limited and not clearly malicious, however, zHash creates a hole in the security layer of the phone, leaving it vulnerable to other applications wanting to take advantage of the device. If the device was successfully rooted by this app, any other app on the device could gain root access without the user’s knowledge.
Who is Affected
Currently this threat mainly affects Chinese Android phone owners who either downloaded the app through the Chinese app markets or the official Android Market. We believe that the number of downloads attributed to this app in the Android Market is under 5,000. All instances of the threat have been removed from the Android Market.
How to Stay Safe
Lookout Free and Premium users are automatically protected from this threat and do not need to take further action.
As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to the apps you’re downloading. Here are a few tips to stay safe:
- Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
- Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
- Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
- Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this threat.
March 11, 2011
We’ve just released a new version of Lookout for Android, and we’ve got a few new features that we think are pretty cool.
- Widget. We now have a Widget! For Android, Widget’s are shortcuts that you can put on your home screen. You’ll need to have the latest version of Lookout (version 5.6) to use the new widget. In order to add the widget, follow these easy steps:
1. Go to your home screen and hold your finger down on any open space for a couple seconds; you will see a menu pop up.
2. Select “Widgets,” then select Lookout.
3. You should now see the Lookout Widget on your home screen!
- Lookout Premium’s Privacy Advisor now advises when apps can access your Contacts. With Privacy Advisor, you can get better insight into which apps can access your private information, and it helps you keep track of all the great (and not so great) apps on your phone. In addition to seeing which apps access your location, identity information and messages, the latest version can also tell you which apps can access your contacts. With this information, you can make better decisions on whether to install or keep apps on your phone.
- Factory Reset capability with Wipe. We now have the ability to provide better protection if you lose your phone. With this setting enabled, Premium users will be able to do a more thorough wipe and complete a full factory reset to remove all the data from your phone. If you’ve lost your phone and haven’t been able to recover it, this will help ensure that your private data is completely removed from your lost phone. Wipe is available for all Lookout Premium customers. If you want to enable this, open the Lookout app and click on the button within the Missing Device module that says, “Enable Better Protection,” then click the “Activate” button.
To get the latest version of Lookout, visit the Android Market on your phone and search for Lookout, then click Update. Or you can visit the Android Market website and click Install.
March 11, 2011
Earlier this week, a rogue application was discovered in alternative Android app markets claiming to be Google’s Android Market Security Tool – the application that was developed by Google to clean up any user’s phones that were infected by DroidDream. The DroidDream cleaner application was published by Google over the weekend as an additional security measure for those that were infected or suspected to be infected with the DroidDream malware discovered last week. The fake version of the Android Market Security Tool app appears to have been modified with malicious code and was only published in alternative app markets, potentially targeting Chinese users. At this point, it appears to have the capability to send SMS message, the IMEI, install time, phone number and system version.
The rogue security tool packs the same payload identified by Aegis Lab in other repackaged applications on alternative markets. We have already deployed an over-the-air update that protects Lookout users from the fake Android Market Security Tool and other affected apps as well as the DroidDream malware. If you are currently a Lookout user, you are already protected and do not need to take any additional action.
If you are concerned and think that you downloaded an application infected with DroidDream, download Lookout Labs’ DroidDream Cleaner app as an added assurance. It is currently available on the Android Market and will remove all instances of DroidDream, including remnants of the malware and patch any remaining damage.
The growing trend to conceal malware in seemingly legitimate applications is just another reminder to always use discretion when downloading applications. Pay close attention to the developer name and publisher of the application – only download applications from developers you trust or know. Always read the reviews and check the ratings. As an additional precaution, check out third-party review sites like PC World, Appolicious or Cnet as well.
Who is affected?
This fake Android Market Security Tool does not appear to affect the majority of Android users. Only people who downloaded an application called Android Market Security Tool from a Chinese third-party market may be affected.
March 8, 2011
If your phone was infected with DroidDream, we developed a cleaner app that you can download from the Android Market that will remove all instances of DroidDream from your device and patch any remaining damage. You only need to download this app if your phone is infected or if you think your phone may still be infected with DroidDream.
How to get it
1) Go to the Android Market website or open the Android Market app on your phone and search “DroidDream Cleaner”. We published the DroidDream cleaner app under Lookout Labs.
2) Download DroidDream Cleaner to your infected device. If your phone was infected with DroidDream, it will automatically remove any remnants of the malware from your phone. If you did not have DroidDream on your phone, don’t worry, downloading this app will not affect your device.
As we’ve previously mentioned, we recommend that you do not perform a factory reset— this may not rid your phone of all the DroidDream malware. If you have any questions, please do not hesitate to reach out to our support team. They understand the DroidDream malware and are happy to answer any questions you might have. Email support@lookout[dot]com.
This app is not a replacement for Lookout Mobile Security, and will not detect or repair any other malware strains. Downloading the full version of Lookout is the best way to keep your phone safe from malware and spyware, back up your data, and locate, scream, lock, or wipe a lost or stolen phone.
March 6, 2011
As previously mentioned, Android Malware DroidDream works in two phases. In the first phase DroidDream infects a device by breaking out of Android’s security container using two known exploits, exploid and rageagainstthecage, and then it installs a second application on the device. Once the second application is installed, it can send additional sensitive information to a remote server and silently download other applications onto the infected device. DroidDream is the first piece of Android malware we’ve seen that uses an exploit to gain root permissions, thereby giving it a substantial amount of control over an infected device.
The authors of DroidDream aptly set the package name to include the string “com.droiddream”, as the malware is configured to only run during the hours of 11 p.m. to 8 a.m. – a time when the owner of an infected device would most likely be sleeping and not notice any strange behaviors on the phone.
DroidDream Phase II. How it works
Once DroidDream is successful in rooting a device, the malware is instructed to wait and silently install a second application, DownloadProviderManager.apk, as a system application. Installing the second stage as a system application prevents a user from seeing or uninstalling the application without special permission.
Unlike the first stage “dropper”, where the user must start the host application to initiate the infection, the second phase was designed to be automatically triggered by certain end-user activities and check-in with its command and control server at specific times — it is also instructed to check-in with the command and control server at specific times. Once the malware is activated by the command and control server, it sends additional device information, including:
- ProductID – Specific to the DroidDream variant
- Partner – Specific to the DroidDream variant
- Model & SDK value
- UserID (Though this does not appear to be fully implemented)
DroidDream then attempts to take an inventory of all the applications it has previously installed. Once DroidDream has communicated its current status to the command and control server, the malware accepts the following commands:
- NextConnectTime – connect to the C&C server at a specified time
- DownloadUrl – download an app from a designated URL
- PackageName – download a specific application package
Applications supplied by the command and control server can be silently downloaded to an infected device. In the malware, there also appears to be a commands dealing with ratings, comments, assetIDs and install states, all of which relate to the Android Market. Though these appear incomplete, it’s possible the author(s) intended to listen to Android Market downloads and possibly to trigger downloads and comments on downloaded applications.
After analyzing the second phase of DroidDream, we’ve concluded that its purpose is to download additional applications and install them silently as system applications on the device. The first phase of the malware served to gain root access on the device while the second phase predominantly serves to maintain a connection to the C&C server to download and install other files. Because we have not seen the C&C server issue commands to download additional applications we cannot divine their exact purpose, however the possibilities are limitless. DroidDream could be considered a powerful zombie agent that can install any applications silently and execute code with root privileges at will.
For those that are interested, you can access the full DroidDream technical analysis here or download a PDF here.
What to do if your phone is infected
1) Download Lookout and run a security scan to see if your phone has been infected. You will see a Lookout alert if your device is infected with DroidDream.
2) We recommend that you do not perform a factory reset— this may not rid your phone of all the DroidDream malware. Starting last night, Google started to remotely remove the malicious applications from affected devices — other have referred to this as the “kill switch”. For an additional layer of assurance, please contact our support team at firstname.lastname@example.org and we will help you uninstall the remaining components of DroidDream.
As previously mentioned, unlike other instances of malware in the wild that were only available in geographically targeted alternative app markets, DroidDream was available not only in alternative markets but also in the official Android Market, indicating a growing need for mainstream Android users to use extra caution when downloading apps. Stay tuned as we continue to provide more detail on DroidDream as it is available.
March 2, 2011
Looking for more information on mobile threats like DroidDream? Check out Lookout’s Top Threats resource.
UPDATE: Includes a link to technical analysis for the first phase of DroidDream.
UPDATE: Previously we suggested that DroidDream might be primarily targeting devices in other markets. Upon further analysis we found that this may not be the case. We are actively investigating this and will post additional details.
Yesterday, Google pulled more than 50 apps from the Android Market after they were found to contain the Android malware DroidDream. Similar to previous instances of Android malware that have been found on alternative Android app markets, the authors of DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware—a growing trend in mobile threats. We also discovered that these apps were placed in alternative app markets in addition to the Android Market.
The Lookout Security Team did a deep analysis of the DroidDream malware present in one of the infected applications, Bowling Time. Below we’ve included details on how the first phase of the malware works when installed on a phone. We are continuing to analyze DroidDream in more detail and will update this post with additional results.
How DroidDream Malware Works
In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server. The sensitive data includes:
- Device Model
- SDK Version
DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it.
When DroidDream attempts to infect a device, it uses two known exploits, exploid and rageagainstthecage, to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread). If exploid fails to root the device, the malware will attempt to use rageagainstthecage. Once the phone is rooted, DroidDream is configured to searched for a specific package named com.android.providers.downloadsmanager. If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge. If DroidDream does find the downloadsmanager package, it will not continue infecting the device with the second malicious application.
At Lookout, we are currently in the process of confirming what this second application is capable of, but our initial analysis shows that it appears to be able to send additional sensitive information to a remote server. The second malicious application also appears to have the capability to silently install other applications.
Lookout has identified instances of DroidDream apps residing in third-party markets. It is possible that the apps were deployed to the official Android Market after the fact, though unclear whether the authors expected to succeed in fully infecting significant numbers of devices. We’ll be continuing to investigate this, and now a technical analysis of the DroidDream is available now. You can also download the technical analysis here. Please see update above.
Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps. To stay safe, users should always pay careful attention when downloading apps and ensure they only download apps from developers they trust, look at the ratings and read the reviews.
March 1, 2011
Looking for more information on mobile threats like DroidDream? Check out Lookout’s Top Threats resource.
Update: Apps released under the developer names “Kingmall2010″, “we20090202″, and “Myournet” contain DroidDream and have been suspended from the official Android Market. To date, more than 50 applications have been found to be infected with DroidDream. See below for the full list of apps.
Update: We originally reported that Google removed the apps from devices, but we recently learned that the remote removal system has not yet been engaged for these applications because they are under active investigation.
Update: We’ve deployed an over-the-air update that protects Lookout users from all known instances of DroidDream.
Multiple applications available in the Official Android Market were found to contain malware which could compromise a significant amount of personal data. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream.
Google has already removed all of the apps known to be infected from the Android Market. As Lookout continues to find more malicious applications we will keep you updated.
Lompolo, a user on the popular news aggregation site Reddit, discovered the first instances of this malware after noticing that the developer of one of the malicious applications had posted pirated versions of legitimate apps under the developer name “Myournet.” In addition to that developer, the Lookout Security Team identified a large number of additional apps from other developers that also contain the DroidDream malware. We’re actively working directly with Google to get these apps removed and will post updates as soon as they are available.
Lompolo analyzed two suspicious applications and found that they contain exploit code that can break out of Android’s application security sandbox. A blogger at Android Police took a closer look at the malicious applications and verified that they do indeed contain exploit code that can root a user’s device as well code that can send sensitive information (IMEI and IMSI) from the phone to a remote server. Android Police also found that there is another APK hidden inside the code, which can steal additional sensitive data.
Lookout will continue to monitor this as more details unfold. Stay tuned for further updates on this malware.
Who is affected?
Anyone who has downloaded the apps listed above may be affected. If you have downloaded these apps, contact us at support-at-lookout.com.
Full list of infected applications published by “Myournet”:
- Falling Down
- Super Guitar Solo
- Super History Eraser
- Photo Editor
- Super Ringtone Maker
- Super Sex Positions
- Hot Sexy Videos
- Hilton Sex Sound
- Screaming Sexy Japanese Girls
- Falling Ball Dodge
- Scientific Calculator
- Dice Roller
- Advanced Currency Converter
- App Uninstaller
- Funny Paint
- Spider Man
Full list of infected applications published by “Kingmall2010”:
- Bowling Time
- Advanced Barcode Scanner
- Supre Bluetooth Transfer
- Task Killer Pro
- Music Box
- Sexy Girls: Japanese
- Sexy Legs
- Advanced File Manager
- Magic Strobe Light
- 墨水坦克Panzer Panic
- 裸奔先生Mr. Runner
- Advanced App to SD
- Super Stopwatch & Timer
- Advanced Compass Leveler
- Best password safe
Full list of infected apps under the developer name “we20090202”:
- Finger Race
- Bubble Shoot
- Advanced Sound Manager
- Magic Hypnotic Spiral
- Funny Face
- Color Blindness Test
- Tie a Tie
- Quick Notes
- Basketball Shot Now
- Quick Delete Contacts
- Omok Five in a Row
- Super Sexy Ringtones