March 2, 2011

Update: Android Malware DroidDream: How it Works

Looking for more information on mobile threats like DroidDream? Check out Lookout’s Top Threats resource.

UPDATE: Includes a link to technical analysis for the first phase of DroidDream.

UPDATE: Previously we suggested that DroidDream might be primarily targeting devices in other markets. Upon further analysis we found that this may not be the case.  We are actively investigating this and will post additional details.

Yesterday, Google pulled more than 50 apps from the Android Market after they were found to contain the Android malware DroidDream.  Similar to previous instances of Android malware that have been found on alternative Android app markets, the authors of DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware—a growing trend in mobile threats. We also discovered that these apps were placed in alternative app markets in addition to the Android Market.

The Lookout Security Team did a deep analysis of the DroidDream malware present in one of the infected applications, Bowling Time. Below we’ve included details on how the first phase of the malware works when installed on a phone. We are continuing to analyze DroidDream in more detail and will update this post with additional results.

How DroidDream Malware Works

In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server.  The sensitive data includes:

  • IMEI
  • IMSI
  • Device Model
  • SDK Version

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it.

When DroidDream attempts to infect a device, it uses two known exploits, exploid and rageagainstthecage, to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread). If exploid fails to root the device, the malware will attempt to use rageagainstthecage. Once the phone is rooted, DroidDream is configured to searched for a specific package named If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge.  If DroidDream does find the downloadsmanager package, it will not continue infecting the device with the second malicious application.

At Lookout, we are currently in the process of confirming what this second application is capable of, but our initial analysis shows that it appears to be able to send additional sensitive information to a remote server.  The second malicious application also appears to have the capability to silently install other applications.

Lookout has identified instances of DroidDream apps residing in third-party markets.  It is possible that the apps were deployed to the official Android Market after the fact, though unclear whether the authors expected to succeed in fully infecting significant numbers of devices. We’ll be continuing to investigate this, and now a technical analysis of the DroidDream is available now. You can also download the technical analysis here. Please see update above.

Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps. To stay safe, users should always pay careful attention when downloading apps and ensure they only download apps from developers they trust, look at the ratings and read the reviews.

A technical analysis of the first phase of DroidDream is available now. A technical analysis of the first phase of DroidDream is available now.
  1. kdawg says:

    So, does lookout protect against droiddream? I’m guessing since you failed to mention whether or not lookout users were protected infection, that they were not.

    • jenny says:

      @kdawg. Lookout protects against DroidDream as of the evening of March 1. See our earlier post titled Security Alert.

  2. Michael Campbell says:

    Does Lookout pre-emptively guard against this malware? Or just locate it on its normal scan schedule?

    • Amy says:

      @Michael, thanks for your message. Yes, Lookout protects users from DroidDream. If you run a security scan, you can see if you were infected.

  3. jerry says:

    Can anybody give some advice on how to connect the ps3 to the internet wirelessly

  4. mike says:

    I tried to send an email to: but it wasn’t working correctly. I also tried to use that as a URL but that did not work. Is there an alternate email? Or should I use the contact us form?

    • Amy says:

      @ Mike, thanks for reaching out. I’m sorry you’re having some trouble contacting us. I will have Brian, from our support team, reach out directly to you through email.

  5. Blake says:

    Just downloaded due to the recent droiddream fiasco and love the app! Quick question though: does lookout scan code for malware as it executes like PC AV software, or only at the time of a manual or automatically scheduled full scan? Also, assuming it does run all the time checking for malware in the background, is this feature turned off if I set the “ongoing notifications” checkbox to off?

    • Amy says:

      @Blake, thanks for reaching out. Lookout runs a scan of every app you download. If you turn off automatic security scans, you can run manual security scans to detect for malware.

  6. John says:

    Will the Lookout protection as of March 1 find and notify the user if the device is already infected?

  7. Lewis says:

    Jenny, which means you failed to protect users from the infection. Google removed the malware from the Market well before your OTA patch went out. Those users who were infected prior to the remove of the app from the Market were not protected by Lookout. You guys need to start being honest with your customers and cut it with the marketing spin. Just my 2 cents.

  8. Alex says:

    Way to go lookout! keep up the great work. thanks for the informative article. Is there any way lookout can scan the apps before they get on the phone? im always scared when i download anything now.

  9. Joe says:

    Hi, I think I may have downloaded the Spider Man app, although I’m not sure who the publisher was so I can’t tell. I uninstalled it last night, then downloaded lookout and performed a scan. It scanned my apps and said that I was clean, but is this only because I had uninstalled Spider Man prior to downloading lookout? Can lookout tell if my phone was infected even if the offending app is no longer present?

    • Amy says:

      @Joe, thanks for reaching out. Our support team will be the best avenue to get an answer to your question: support@mylookout [com].

  10. Mattia says:

    congratulations for the excellent article, very interesting.
    I am writing a thesis about the information security in Android and i’d like to ask more details about this malware if possible.
    Who can I contact for more details?

    Thanks in advance,

  11. Jon says:

    @Amy or Joe – I suspect this is a common question. Would you mind posting the answer here after you find out?

    • Amy says:

      @Jon and Joe, thanks for your comments. I spoke with our security team and confirmed that if Joe uninstalled the Spider Man app-then downloaded lookout and received a message that no malware was found-his phone is clean. Lookout would be able to tell you if your phone was infected, even if you had previously uninstalled the SpiderMan app.

  12. Mike 2 says:

    @AMY, I think Joe’s question is one we all want an answer to. Surely you don’t want us ALL to email support to ask if lookout can tell if a device is already infected. Please go get this information for us.

  13. Alexandra says:

    With this whole ordeal I am extremely anxious with my own safety. My credit card number (that I use to pay for my cell phone bill) was stolen. My android is the ONLY place where my number is stored. I am disgusted that regular people can create applications without anyone’s approval. To say that these hackers have not used anyone’s personal information disgusts me. Who are we to judge what they are capable of doing?! Clearly they are smart people! I 100% guaranteed my # was stolen by one of these hackers. I have tried to contact several times, but had yet to get a response. I want my matter to be investigated immediately.

  14. Marty says:

    I can’t uninstall the com.androidproviders.downloadmanager …i tried several antiviruses each one of them noticed me that it is a malware but failed to uninstall it…plzz help

  15. Brian says:


    We’re sorry you got caught up in the recent DroidDream malware storm. You may be interested to know that Lookout has created a DroidDreamCleaner app that will detect and remove the results of the DroidDream malware.

    You also may have received notice from Google that they are actively removing DroidDream from any affected phones automatically. We have every confidence in this mechanism, however if you would like to independently confirm the DroidDream removal, or have not yet received this notice from Google, you may be interested in using our DroidDreamCleaner app.

    What does it do?

    DroidDreamCleaner will scan your phone for the secondary system application and root shell left behind by the primary infector. Given the way in which the dropper functions and that it installs its secondary payload to /system/app, a specialized tool is required to uninstall it, and this tool takes advantage of the very back door application that DroidDream leaves behind to do so.

    How do I use it?

    * Step 1. You will need to go to the Android Market and search for ‘Lookout’ and there will be an app called DroidDream Cleaner published by Lookout Labs – that is us too.

    * Step 2. Open the app – it is called ‘Lookout DroidDream Cleaner’ – and it will scan your phone. Please take note of the items the app discovers (and let us know what they are) and then choose to clean your phone from whatever the app detects.

    * Step 3. If the app does detect the malware, please clean the phone using the tools in the app. You should do this as many times as necessary until you receive the message that your device is not infected. When you see the ‘your device is not affected’ message, please run the scan one more time for safety’s sake.

    If you run into any problems with this process, please let us know immediately via email as a reply to; if DroidDreamCleaner appears to not function properly or appears to be unable to remove DroidDream, please install the free SendLog app from the Android Market and use it to produce a log and attach that to your email reply. Please know the scan our DroidDream cleaner does is very fast, it takes less than a second to run, but it is running when you ask it to.

  16. Christa says:

    Does lookout work for tablets as well? While looking a an internet site I was alerted of malware on my new Motorola Zoom tablet. I researched for hours in order to find anti virus software for my tablet, to no avail. All I found advertised were software for phones. Do you know if anything is available for android tablets?

    Thank you,

  17. Suzanne says:

    Wheres the update to the information for this informational page? I juat bought a phone that has gingerbread the latest version. Is my phone at risk with the new developments? What permissions do you recommed we not get apps that need them? I see in some of the apps I have downloaded, something mentioned like
    blah blah and malicious something or other on it stated right in the permissions area?
    Should I uninstall those apps?
    I have seen a list of the apps removed by Android Market that I saw yesterday but dont know if that was an old informational article or not. I have Lookout, I have not joined it. Im looking more into it. There is a report that says most if not all security downloads do not do anything, and the top one, only protects 30 percent of the time if manually scanned and only 80 percent of the time if done……automatically or something? Ive not even paid a bill for my new Samsung Galaxy s ii t989 and now wonder if I have done somethat that will void the warranty, ruin my phone or put me at risk of identity theft.
    All my apps come from the Market Place, which I though was trustworthy but I guess its not.

  18. jason says:

    I keep getting a error message when downloading files attempting too anyways. I utilize redundant mobile sec. Software..firewall download scan two diff. Anti virus..etc. learned that droiddream can cause the error: Java io.IOException handshake failure…
    Wtf is that? Lookout droiddream cleaner says I’m not infected …i dont have ne clue how to fix itmy fone is ZTE SCORE not rooted factory reset didn’t fix it.. ran java de
    Debugger app still not fix.
    Do you have any idea on how i can resolve this very detrimental issue?

    • Amy says:

      @Jason, thanks for reaching out. Please send an email to support@mylookout[dot]com and our team will be glad to help answer your questions. To enable us to best help you, if possible, please include a detailed description and screen shot of what you are seeing. Thank you!

  19. Masoud says:

    My device has infected by malware. it shows some ads or install some apps. I have used Lookout to clean it. Lookout will identify the malware ( but unable to delete or clean it. any solution?

    • Meghan Kelly says:

      Hi there, unfortunately, we cannot delete an application off of our device. Have you navigated to the app Lookout detected and tried to delete it from there? If you’re having trouble otherwise, please feel free to reach out to our support team: support [at] lookout [dot] com

Leave a comment