May 30, 2011

Update: Security Alert: DroidDreamLight, New Malware from the Developers of DroidDream

Looking for more information on mobile threats like DroidDreamLight? Check out Lookout’s Top Threats resource.

The Threat

This weekend, multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data. Likely created by the same developers who brought DroidDream to market back in March, 26 applications were found to be infected with a stripped down version of DroidDream we’re calling “Droid Dream Light” (DDLight).  At this point we believe between 30,000 and 120,000 users have been affected by DroidDreamLight.

The Lookout Security Team identified the malware thanks to a tip from a developer who notified us that modified versions of his app and another developer’s app were being distributed in the Android Market.  Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples.  We discovered 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developer accounts.

Lookout users are automatically protected from this malware. Google has removed all of the apps known to be infected from the Android Market while they investigate.

Who is affected?
Apps containing DroidDreamLight have been available for download from the official Android Market. Anyone who has downloaded the apps listed below may be affected. We believe the number of affected devices to be in the range of 30,000 and 120,000 users. If you have downloaded these apps, contact us at support-at-lookout.com and we can assist you in removing them.

The list of infected applications (by developer name) includes:

Magic Photo Studio

  • Sexy Girls: Hot Japanese
  • Sexy Legs
  • HOT Girls 4
  • Beauty Breasts
  • Sex Sound
  • Sex Sound: Japanese
  • HOT Girls 1
  • HOT Girls 2
  • HOT Girls 3

Mango Studio

  • Floating Image Free
  • System Monitor
  • Super StopWatch and Timer
  • System Info Manager

E.T. Tean

  • Call End Vibrate

BeeGoo

  • Quick Photo Grid
  • Delete Contacts
  • Quick Uninstaller
  • Contact Master
  • Brightness Settings
  • Volume Manager
  • Super Photo Enhance
  • Super Color Flashlight
  • Paint Master

Update: We added an additional developer and its infected apps that was previously omitted, see below.

DroidPlus

  • Quick Cleaner
  • Super App Manager
  • Quick SMS Backup

UPDATE: An additional developer was found to be publishing apps containing DroidDreamLight. They have already been pulled from the Android Market. See the list of apps and developer name below.

GluMobi

  • Tetris
  • Bubble Buster Free
  • Quick History Eraser
  • Super Compass and Leveler
  • Go FallDown !
  • Solitaire Free
  • Scientific Calculator
  • TenDrip

How DroidDream Light Works

Malicious components of DroidDream Light are invoked on receipt of a  android.intent.action.PHONE_STATE intent (e.g. an incoming voice call).  DroidDream Light is not, therefore, dependent on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages.  It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

How to Stay Safe

Lookout Free and Premium users are already protected. As we see the frequency of these threats increase, please keep in mind the following:

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.

We’ll keep you updated as we learn more. If you have questions about this or other malware, feel free to contact us at security-at-lookout.com.

35 comments
  1. mcbyte says:

    Can you provide icons of the apps (and/or screenshots)?
    I have/had a couple of apps with similar names, but lookout scanner said nothing was found.

    I have a Volume Manager, but in the market there are 100′s of “Volume Manager” :s

  2. [...] Wyatt of Lookout wrote in a blog post, “The promote receiver immediately launches the.lightdd.CoreService that contacts remote [...]

  3. For me, it’s not the job of the user/consumer to know whether or not the app and app developer are safe. This is the responsibility of the app store – such as Google App Store, Nokia Ovi, and the Apple App Store. The store should see to it that their consumers are safe by making sure that:

    - all apps are filtered and scanned well
    - a developer should have certificates from a well-known IT security organization

    Lastly, we should not completely rely on reviews and star ratings as these could be easily created and manipulated by a paid third-party entity.

  4. Amy says:

    @Mcbyte, thanks for your message. The Lookout scanner will detect all of the malware from the developers of DroidDream, so if the scan you ran on your phone said everything was okay–the Volume Manager app on your phone is not infected. If you have any other questions, please feel free to contact us our support team directly at: support[at]mylookout.com. Thank you!

  5. benderz says:

    Thanks for your amazing work Lookout Security Team :)

  6. BRYAN B says:

    So is the assumption that only phones are at risk at this juncture or are WIFI only Tables going to be at risk also?

    BRYAN B

  7. Rhonda says:

    I’m confused about how the Lookout app identifies malware since the app wasn’t able to identify it until receiving a tip from another developer. I’ve had it on my phone for a couple of months and thought I was better protected.

  8. Duncan Bayne says:

    @Amelia: it comes down to a cost / benefit analysis.

    One of the attractions of Android is that I can download and install apps from anywhere, not just the App Store. Also, the approval process is faster and easier than Apple. The cost of all this is a higher risk of malware.

    If you want the user to be completely protected from malware, the only viable approach is a locked-down ecosystem like iOS – or even _more_ locked down than iOS if you require third-party certification & audits.

    Is that _really_ what you want Android to become?

  9. Nancy Ingram says:

    Are Apple apps vulnerable? Also can I follow you on Twitter, other?
    Thanks.

  10. LadyLogician says:

    I am new to Android and let me tell you I would be LOST without Lookout. This is one App I would not do without.

    Amelia – it comes down to personal responsibility. I personally want to make sure that my phone stays as clean as possible. Therefore I have Lookout and I make sure that I know all I can about the developer and the app. I agree that ratings and reviews can be manipulated but the more reliable tech blogs are a good source for info to help a user make an intelligent decision.

    I don’t want the app store deciding for me what apps are “ok” because the day may come when they decide that their malware is OK. I would much rather be responsible for what I download and I will do so with the great help of the Lookout Security Team.

  11. Amy says:

    @Nancy, thanks for your message. The malware that was found (DroidDream and DroidDream light) existed only in the Android Market, and does not affect apps in the Apple App Store. Thanks so much for wanting to follow us on Twitter. Simply follow us here: http://twitter.com/#!/lookout. Also, we are on facebook:http://www.facebook.com/mylookout. Thanks!

  12. Amy says:

    @Bryan thanks for your message. All mobile devices – phone or even tablets that are WiFi only – may be vulnerable to malware. If you have any other questions, please feel free to contact us: support[at]mylookout.com.

  13. Amy says:

    @Rhonda, thanks for your message. We make every effort to protect users against new threats. There are situations, like this one, where we need to respond once the threat is already live. We are 100% dedicated to protecting users as quickly as we possibly can and all Lookout users are automatically protected from this malware. Google has removed all of the apps known to be infected from the Android Market while they investigate.

  14. NavMan says:

    But Android Market can not do anything about this? I believe that their approval system for apps, is very weak!

  15. [...] 260,000 devices. Google quickly removed the known threats, but a new variant of the malware, dubbed DroidDreamLight, recently surfaced, infecting between 30,000 and 120,000 users, according to estimates by Lookout [...]

  16. Michelle Dy says:

    wow come to think of it this virus’ intent is for them to profit from you being forced to download their program. =(

  17. [...] pas inclus. Mais une nouvelle variante du trojan est apparue : Droid Dream Light (nom donné par Lookout). Malheureusement, les contrôles mis en locate par le géant de Mountain View semblent [...]

  18. [...] many as 120,000 Android users downloaded the trojans before they were detected, according to Tim Wyatt, a researcher with mobile security firm Lookout. Once installed, the apps secretly [...]

  19. [...] Lookout Security Team has identified a new variant of DroidDream Light found in the Android Market, which Google already removed from the Android Market.  Fortunately [...]

  20. [...] Security Alert Release From Lookout: The Lookout Security Team has identified a new variant of DroidDream Light found in the Android Market, which Google already removed from the Android Market.  Fortunately [...]

  21. [...] Son piège consiste à cacher le virus derrière une fausse application. Pour être sur, vous trouverez ICI des précisions pour vérifier si votre mobile est ou non infecté. Pour le moment, le [...]

  22. [...] in the Android Marketplace.  Tech headlines are brimming with descriptions of malware called DroidDream, DroidKungFu, Plankton, & YZHCSMS.  Well, at least you would think that tech headlines would [...]

  23. [...] Market som var infisert med en variant av malwaretypen “DroidDream Light”, som også tidligere har blitt funnet på Android Market.Det er tredje gang dette året at denne typen malware har blitt avdekket.Og det [...]

  24. Dan says:

    this “malicious code” is the same code people use to root their phones. Amazing how thousands have been using this to hack phones for months and google never thought to check if… it’s being used to hack phones.. duh.

  25. [...] a blog post, Lookout said the same developers that launched DroidDream in March apparently created the [...]

  26. josey jasen says:

    I just stumbled upon your blog and wanted to say that I have really

    enjoyed browsing your blog posts. In any case I’ll be subscribing to

    your feed and I hope you write again soon!

    http://theindianstudio.com/

  27. [...] ou potentiellement dangereuses, d’autres applications peuvent encore être touchées. Sur le blog de Mylookout vous pourrez en savoir un peu plus. Voici la liste des malwares déjà connus :* Sexy Girls: Hot [...]

  28. [...] to Lookout, an Android anti-malware maker, there’s a new threat in the wild that is said to have affected [...]

  29. [...] to contain malware that could compromise a major amount of private data,” Lookout said in a blog post . “Likely created by an identical developers who brought DroidDream to market back in March, [...]

  30. [...] below and on Lookout’s Blog are apps that have been suspected and/or removed due to [...]

  31. [...] malicious apps are down 40 percent between the first and second half of 2011, seeing that 14,000, 30,000, or even 260,000 devices have been affected by this or that malicious app requires action. That [...]

  32. ovidiu says:

    i am instered to do a study about android apps security and to create a practial apps that show vulnerbality of the android os what do you recomened me?

Leave a comment