So far a total of twenty six applications have been pulled from the Android Market containing this stripped down version of DroidDream, and there could still be more hiding out there.
This malware has the ability to steal important personal data according to Lookout, This new stripped down version of DroidDream that we saw a few months back had quickly infected 50 applications, and this new version, DroidDream Light is heading in the same path and is already believed to have infected between 30,000 and 120,000 users.
Lookout Security are the ones that identified this new threat. It happened after a developer had noticed that a modified version of his app and another developer’s application were being distributed under another account in the Android Market. Lookout quickly identified the malicious code within the apps and also found similarities between the old version and new version.
So far Google has down their best and has removed all the known, infected applications. However, there were five different accounts that were behind these infected applications that included Magic Photo Studio, Mango Studio, ET Tean, BeeGoo and DroidPlus.
Even though this new malware is based of the old DroidDream, it is still as malicious as it was last time, if not worse since it does not need the user to launch the application to become dangerous, so don’t let the name “Light” fool you. It is also possible for it to collect quite a bit of information, including the unique IMEI identifier, IMSI, SDK version, handset model and also information about installed packages on the users’ Android device, according to Lookout.
The way that DroidDream works is by being triggered when the “android.intent.action.PHONE_STATE” value is set, this usually happens during an incoming call. While this application is a spin off of the original, it does differ since it is not capable of actually performing updates without the users’ knowledge and approval.
Also found by F-Secure researchers, within this threat was code that can easily be triggered when a text message is received.
“The added code will connect to a server and send details about the infected handset to the malware authors,” F-Secure Chief Research Officer Mikko Hypponen wrote. “So we’re talking about a mobile botnet.”
Early last March, Google had removed 58 applications that were infected by DroidDream from the Android Market. The company also took steps by using their “remote kill switch”, this allowed it to remove infected applications automatically that had already been installed on devices. Since then Google made several changes to try and prevent this from happening again.
Google discovered and removed 58 apps on the Android Market in early March when DroidDream first broke on the scene. Google also took the unprecedented step of using its “remote kill switch,” which allowed it to automatically remove the malicious apps that had already been installed on Android devices. The company made a number of changes to try to prevent this kind of infection from happening again.
According to Lookout, users need to check the permissions of applications and make sure that they match with what the app is designed to do. One example has to do with an application that is designed to display images in gallery format, however, while it seemed harmless the infected application version “Magic Photo Studio” requested full internet access along with the ability to read the phone’s state and identity.
Lookout is recommending that users install a mobile security application that will scan the device every so often and check for threats. You can check out our Guide To Android: Android Security for some security applications to help protect yourself and device.