March 6, 2011

Do Androids Dream…?

As previously mentioned, Android Malware DroidDream works in two phases.  In the first phase DroidDream infects a device by breaking out of Android’s security container using two known exploits, exploid and rageagainstthecage, and then it installs a second application on the device. Once the second application is installed, it can send additional sensitive information to a remote server and silently download other applications onto the infected device. DroidDream is the first piece of Android malware we’ve seen that uses an exploit to gain root permissions, thereby giving it a substantial amount of control over an infected device.

The authors of DroidDream aptly set the package name to include the string “com.droiddream”, as the malware is configured to only run during the hours of 11 p.m. to 8 a.m.  – a time when the owner of an infected device would most likely be sleeping and not notice any strange behaviors on the phone.

DroidDream Phase II. How it works

Once DroidDream is successful in rooting a device, the malware is instructed to wait and silently install a second application, DownloadProviderManager.apk, as a system application.  Installing the second stage as a system application prevents a user from seeing or uninstalling the application without special permission.

Unlike the first stage “dropper”, where the user must start the host application to initiate the infection, the second phase was designed to be automatically triggered by certain end-user activities and check-in with its command and control server at specific times — it is also instructed to check-in with the command and control server at specific times. Once the malware is activated by the command and control server, it sends additional device information, including:

  • ProductID – Specific to the DroidDream variant
  • Partner – Specific to the DroidDream variant
  • IMSI
  • IMEI
  • Model & SDK value
  • Language
  • Country
  • UserID  (Though this does not appear to be fully implemented)

DroidDream then attempts to take an inventory of all the applications it has previously installed. Once DroidDream has communicated its current status to the command and control server, the malware accepts the following commands:

  • NextConnectTime – connect to the C&C server at a specified time
  • DownloadUrl –  download an app from a designated URL
  • PackageName – download a specific application package

Applications supplied by the command and control server can be silently downloaded to an infected device.  In the malware, there also appears to be a commands dealing with ratings, comments, assetIDs and install states, all of which relate to the Android Market. Though these appear incomplete, it’s possible the author(s) intended to listen to Android Market downloads and possibly to trigger downloads and comments on downloaded applications.

After analyzing the second phase of DroidDream, we’ve concluded that its purpose is to download additional applications and install them silently as system applications on the device. The first phase of the malware served to gain root access on the device while the second phase predominantly serves to maintain a connection to the C&C server to download and install other files. Because we have not seen the C&C server issue commands to download additional applications we cannot divine their exact purpose, however the possibilities are limitless. DroidDream could be considered a powerful zombie agent that can install any applications silently and execute code with root privileges at will.

For those that are interested, you can access the full DroidDream technical analysis here or download a PDF here.

What to do if your phone is infected

1)      Download Lookout and run a security scan to see if your phone has been infected. You will see a Lookout alert if your device is infected with DroidDream.

2)      We recommend that you do not perform a factory reset— this may not rid your phone of all the DroidDream malware. Starting last night, Google started to remotely remove the malicious applications from affected devices — other have referred to this as the “kill switch”. For an additional layer of assurance, please contact our support team at droiddream@lookout.com and we will help you uninstall the remaining components of DroidDream.

As previously mentioned, unlike other instances of malware in the wild that were only available in geographically targeted alternative app markets, DroidDream was available not only in alternative markets but also in the official Android Market, indicating a growing need for mainstream Android users to use extra caution when downloading apps.  Stay tuned as we continue to provide more detail on DroidDream as it is available.

9 comments
  1. Frank Steinauer says:

    Thank you for your help. It is much appreciated.

  2. LeeC says:

    Interesting note, http://www.androlib.com still has these apps (at least from we2009020…) available. I couldn’t leave a comment there because of their ridiculous facebook commenting system.

  3. alicia says:

    @LeeC thanks for the heads up. We’ll keep our mobile security team in the loop!

  4. [...] to do once it gained access to your phone, but the company said the possibilities were “limitless.” DroidDream had been discovered in third-party app stores before, but this was the first [...]

  5. [...] Researchers at mobile security provider Lookout also released more details on the malware, dubbed DroidDream, because a string of code that used that term in the software. The malware was configured only to run between 11 p.m. and 8 a.m., when a device owner would likely be asleep or have the phone off, Lookout said in a blog post. [...]

  6. [...] with malware that could take over – “root” – the phone once installed; they used a privilege escalation exploit to install a further application which could send user data back to a remote server, and potentially download further apps with root [...]

  7. [...] with malware that could take over – “root” – the phone once installed; they used a privilege escalation exploit to install a further application which could send user data back to a remote server, and potentially download further apps with root [...]

  8. [...] with malware that could take over – “root” – the phone once installed; they used a privilege escalation exploit to install a further application which could send user data back to a remote server, and potentially download further apps with root [...]

Leave a comment