May 30, 2011

Update: Security Alert: DroidDreamLight, New Malware from the Developers of DroidDream

Looking for more information on mobile threats like DroidDreamLight? Check out Lookout’s Top Threats resource.

The Threat

This weekend, multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data. Likely created by the same developers who brought DroidDream to market back in March, 26 applications were found to be infected with a stripped down version of DroidDream we’re calling “Droid Dream Light” (DDLight).  At this point we believe between 30,000 and 120,000 users have been affected by DroidDreamLight.

The Lookout Security Team identified the malware thanks to a tip from a developer who notified us that modified versions of his app and another developer’s app were being distributed in the Android Market.  Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples.  We discovered 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developer accounts.

Lookout users are automatically protected from this malware. Google has removed all of the apps known to be infected from the Android Market while they investigate.

Who is affected?
Apps containing DroidDreamLight have been available for download from the official Android Market. Anyone who has downloaded the apps listed below may be affected. We believe the number of affected devices to be in the range of 30,000 and 120,000 users. If you have downloaded these apps, contact us at and we can assist you in removing them.

The list of infected applications (by developer name) includes:

Magic Photo Studio

  • Sexy Girls: Hot Japanese
  • Sexy Legs
  • HOT Girls 4
  • Beauty Breasts
  • Sex Sound
  • Sex Sound: Japanese
  • HOT Girls 1
  • HOT Girls 2
  • HOT Girls 3

Mango Studio

  • Floating Image Free
  • System Monitor
  • Super StopWatch and Timer
  • System Info Manager

E.T. Tean

  • Call End Vibrate


  • Quick Photo Grid
  • Delete Contacts
  • Quick Uninstaller
  • Contact Master
  • Brightness Settings
  • Volume Manager
  • Super Photo Enhance
  • Super Color Flashlight
  • Paint Master

Update: We added an additional developer and its infected apps that was previously omitted, see below.


  • Quick Cleaner
  • Super App Manager
  • Quick SMS Backup

UPDATE: An additional developer was found to be publishing apps containing DroidDreamLight. They have already been pulled from the Android Market. See the list of apps and developer name below.


  • Tetris
  • Bubble Buster Free
  • Quick History Eraser
  • Super Compass and Leveler
  • Go FallDown !
  • Solitaire Free
  • Scientific Calculator
  • TenDrip

How DroidDream Light Works

Malicious components of DroidDream Light are invoked on receipt of a  android.intent.action.PHONE_STATE intent (e.g. an incoming voice call).  DroidDream Light is not, therefore, dependent on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages.  It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

How to Stay Safe

Lookout Free and Premium users are already protected. As we see the frequency of these threats increase, please keep in mind the following:

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.

We’ll keep you updated as we learn more. If you have questions about this or other malware, feel free to contact us at

  1. Henry Bason says:

    Just curious…..that was a long time Ago.

  2. mcbyte says:

    Can you provide icons of the apps (and/or screenshots)?
    I have/had a couple of apps with similar names, but lookout scanner said nothing was found.

    I have a Volume Manager, but in the market there are 100’s of “Volume Manager” :s

    • Amy says:

      @Mcbyte, thanks for your message. The Lookout scanner will detect all of the malware from the developers of DroidDream, so if the scan you ran on your phone said everything was okay–the Volume Manager app on your phone is not infected. If you have any other questions, please feel free to contact us our support team directly at: support[at] Thank you!

  3. For me, it’s not the job of the user/consumer to know whether or not the app and app developer are safe. This is the responsibility of the app store – such as Google App Store, Nokia Ovi, and the Apple App Store. The store should see to it that their consumers are safe by making sure that:

    – all apps are filtered and scanned well
    – a developer should have certificates from a well-known IT security organization

    Lastly, we should not completely rely on reviews and star ratings as these could be easily created and manipulated by a paid third-party entity.

  4. PuellaMagica says:

    They don’t even need to be “certified” to publish apps.

    They should just scan new packages for known malware behavior, especially if the application requests permissions which DO NOT support the functions of the app itself.

    Furthermore, the permissions need to be even more granular so that when applications request permission to read or send Personal identifiable information, it’s noted, and the application which requests such permissions can be easily reviewed before being released to the general public.

    Additionally, Google can be proactive by disabling the installation of “Unverified” applications by default…requiring the end user to perform some sort of online interaction with their Google account that spells out the dangers of testing such applications. A sort of “Geeks and Power user level users Only” is strongly recommended in such a warning. Just word it strongly enough to scare the newbies and idiots away, and people will be warned off when they must manually approve the installation online…instead of on their handsets where they should not be able to access such untested apps anyway.

  5. benderz says:

    Thanks for your amazing work Lookout Security Team 🙂

  6. BRYAN B says:

    So is the assumption that only phones are at risk at this juncture or are WIFI only Tables going to be at risk also?


    • Amy says:

      @Bryan thanks for your message. All mobile devices – phone or even tablets that are WiFi only – may be vulnerable to malware. If you have any other questions, please feel free to contact us: support[at]

  7. Axel says:

    Now it’s a matter of distributing a fake Lookout app infected with DDL.

  8. Rhonda says:

    I’m confused about how the Lookout app identifies malware since the app wasn’t able to identify it until receiving a tip from another developer. I’ve had it on my phone for a couple of months and thought I was better protected.

    • Amy says:

      @Rhonda, thanks for your message. We make every effort to protect users against new threats. There are situations, like this one, where we need to respond once the threat is already live. We are 100% dedicated to protecting users as quickly as we possibly can and all Lookout users are automatically protected from this malware. Google has removed all of the apps known to be infected from the Android Market while they investigate.

  9. Duncan Bayne says:

    @Amelia: it comes down to a cost / benefit analysis.

    One of the attractions of Android is that I can download and install apps from anywhere, not just the App Store. Also, the approval process is faster and easier than Apple. The cost of all this is a higher risk of malware.

    If you want the user to be completely protected from malware, the only viable approach is a locked-down ecosystem like iOS – or even _more_ locked down than iOS if you require third-party certification & audits.

    Is that _really_ what you want Android to become?

  10. Nancy Ingram says:

    Are Apple apps vulnerable? Also can I follow you on Twitter, other?

  11. LadyLogician says:

    I am new to Android and let me tell you I would be LOST without Lookout. This is one App I would not do without.

    Amelia – it comes down to personal responsibility. I personally want to make sure that my phone stays as clean as possible. Therefore I have Lookout and I make sure that I know all I can about the developer and the app. I agree that ratings and reviews can be manipulated but the more reliable tech blogs are a good source for info to help a user make an intelligent decision.

    I don’t want the app store deciding for me what apps are “ok” because the day may come when they decide that their malware is OK. I would much rather be responsible for what I download and I will do so with the great help of the Lookout Security Team.

  12. NavMan says:

    But Android Market can not do anything about this? I believe that their approval system for apps, is very weak!

  13. Michelle Dy says:

    wow come to think of it this virus’ intent is for them to profit from you being forced to download their program. =(

  14. Dan says:

    this “malicious code” is the same code people use to root their phones. Amazing how thousands have been using this to hack phones for months and google never thought to check if… it’s being used to hack phones.. duh.

  15. josey jasen says:

    I just stumbled upon your blog and wanted to say that I have really

    enjoyed browsing your blog posts. In any case I’ll be subscribing to

    your feed and I hope you write again soon!

  16. […] ou potentiellement dangereuses, d’autres applications peuvent encore être touchées. Sur le blog de Mylookout vous pourrez en savoir un peu plus. Voici la liste des malwares déjà connus :* Sexy Girls: Hot […]

  17. sayfanız firefoxta çok geç yükleniyor

  18. ovidiu says:

    i am instered to do a study about android apps security and to create a practial apps that show vulnerbality of the android os what do you recomened me?

  19. Minne says:

    Bonjour Je suis infecté par le virus sexy mais l’installation de lookout est impossible car l’appareil se fige et redémarre toutes les 15 secondes.
    Que puis-je faire ?


Leave a comment