July 8, 2011

Security Alert: New DroidDream Light Variant Published to Android Market

Looking for more information on mobile threats like DroidDreamLight? Check out Lookout’s Top Threats resource.

The Lookout Security Team has identified a new variant of DroidDream Light found in the Android Market, which Google already removed from the Android Market.  Fortunately the malware was available in the Android Market for a short period of time so the number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream; the first was discovered in early March (the original DroidDream) and the second in early June (DroidDream Light).

The Threat

Four applications in the Android Market published by a developer named “Mobnet” were found to contain malware that is nearly identical to DroidDream Light.  Though our analysis is still underway, these applications are likely published by the same author as the original DroidDream malware.

All Lookout Free and Premium users are automatically protected from this malware and the applications have been removed from the Android Market.

Infected applications include:

  • Quick FallDown
  • Scientific Calculator
  • Bubble Buster
  • Best Compass & Leveler Note: There is legitimate application that has a package name similar to that of Best Compass & Leveler.  The Trojanized application capitalizes the package name (i.e. com.gb.CompassLeveler), while the legitimate application does not (i.e. com.gb.compassleveler).

Who is affected?

Apps containing DroidDreamLight were available for download from the official Android Market. Anyone who has downloaded the apps listed above published by the developer “MobNet” may be affected.

How DroidDream Light Works

Similar to the first samples of DroidDream Light found, these samples are not reliant on the manual launch of the infected application to start.   Upon initiation it appears that the malware has the capability to:

– Change next connection time

– Change C&C server (feedproxy) in use

– Initiate an application download

– Create several app install-related prompts on the notification bar directing the victim to:

  • Download other apps from the Android Market
  • Visit a specific URL (likely malicious)
  • Download an application from an HTTP server showing a notification with progress bar, and on completion fire an intent to prompt an install (parameters: description, title, packagename, url, filename)
  • Download an updated APK for the infected application which would in turn download an updated version of the malware.

How to Stay Safe

Lookout Free and Lookout Premium users are currently protected against this malware. With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. As we uncover more details about DroidDream Light and related malware we’ll keep you updated.

  • Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
  • Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.
  1. Compared to computer and Internet security, mobile security is not a priority. But the mobile world is surrounded with the same threats.

    Mobile users need to keep their security in check, given the dangers that come with using the gadgets.

  2. Venu says:

    Thank you very much for sharing this.

  3. David says:

    Hey guys,

    Found this post from Phandroid, and realized I had one of the infected apps (Bubble Buster). I uninstalled it, deleted its backup from Titanium, downloaded Lookout and ran a scan. Lookout didn’t find anything, but it gave me the impression it was scanning only my installed apps — is there any sort of trace that DDLight might have left behind on my system? Is there any way to know if I’m infected?

    • Amy says:

      @David, thank you for your message. If you had any DroidDream malware on your mobile device, Lookout would have detected and removed the malware from your device in a scan. Since Lookout said “everything is okay” your device is free of DroidDream malware. If you have any other questions, please feel free to contact us: support[at]mylookout.com. Thanks again!

  4. Dave532 says:

    I had no idea there was such a problem with malware on Android. I guess I know what app I will be installing today…

Leave a comment