Hack that Droid! => Android Security => Topic started by: Unwired on March 03, 2011, 08:22:51 AM

Title: How DroidDream Malware Works
Post by: Unwired on March 03, 2011, 08:22:51 AM
In the DroidDream samples we have analyzed, the malware cannot start automatically: it requires the user to manually run the infected application. When the host application—Bowling Time, in this case—is launched by a user, DroidDream will start by sending sensitive data to a command and control server.  The sensitive data includes:

    * IMEI
    * IMSI
    * Device Model
    * SDK Version

DroidDream is configured to perform at least one successful check-in with the command and control server, at which point the command and control server will respond and acknowledge the presence of malware on the infected device. We found that the DroidDream authors have configured the malware to make sure the device is not already infected with another variant of DroidDream. If the device is already infected, the malware will not re-infect it.

When DroidDream attempts to infect a device, it uses two known exploits, exploid and rageagainstthecage, to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread). If exploid fails to root the device, the malware will attempt to use rageagainstthecage. Once the phone is rooted, DroidDream is configured to searched for a specific package named If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge.  If DroidDream does find the downloadsmanager package, it will not continue infecting the device with the second malicious application.

At Lookout, we are currently in the process of confirming what this second application is capable of, but our initial analysis shows that it appears to be able to send additional sensitive information to a remote server.  The second malicious application also appears that to have the capability to silently install other applications.

Lookout has identified instances of DroidDream apps residing in third-party markets.  Given that these apps will only complete their infection cycle on devices without the complete “Google Experience” software stack, we believe that DroidDream was designed to target devices in other markets (potentially China) that are more likely to be deployed without these applications.  It is likely that the apps were deployed to the official Android Market after the fact, though unclear whether the authors expected to succeed in fully infecting significant numbers of devices. We’ll be continuing to investigate this.

Unlike previous instances of malware in the wild that were only available in targeted alternative app markets, DroidDream was available in the official Android Market in addition to alternative markets, indicating a growing need for Android users to take extra caution when downloading apps. To stay safe, users should always pay careful attention when downloading apps and ensure they only download apps from developers they trust, look at the ratings and read the reviews.