Low Security Alert: New DroidDream Version Appeared on Android Market


According to Lookout Mobile Security blog, a new low security level threat appeared today on the Android market. The malware was quickly remove before it reached 5,000 downloads.

The malware was uploaded with four apps by a user named “Mobnet”. The applications were found to contain malware that is nearly identical to DroidDream Light.

Full Security Alert Release From Lookout:

The Lookout Security Team has identified a new variant of DroidDream Light found in the Android Market, which Google already removed from the Android Market.  Fortunately the malware was available in the Android Market for a short period of time so the number of downloads was limited to 1000 – 5000. This is the third iteration of malware likely created by the authors of DroidDream; the first was discovered in early March (the original DroidDream) and the second in early June (DroidDream Light).

The Threat

Four applications in the Android Market published by a developer named “Mobnet” were found to contain malware that is nearly identical to DroidDream Light.  Though our analysis is still underway, these applications are likely published by the same author as the originalDroidDream malware.

All Lookout Free and Premium users are automatically protected from this malware and the applications have been removed from the Android Market.

Infected applications include:

  • Quick FallDown
  • Scientific Calculator
  • Bubble Buster
  • Best Compass & Leveler Note: There is legitimate application that has a package name similar to that of Best Compass & Leveler.  The Trojanized application capitalizes the package name (i.e. com.gb.CompassLeveler), while the legitimate application does not (i.e. com.gb.compassleveler).

Who is affected?

Apps containing DroidDreamLight were available for download from the official Android Market. Anyone who has downloaded the apps listed above published by the developer “MobNet” may be affected.

How DroidDream Light Works

Similar to the first samples of DroidDream Light found, these samples are not reliant on the manual launch of the infected application to start.   Upon initiation it appears that the malware has the capability to:

– Change next connection time

– Change C&C server (feedproxy) in use

– Initiate an application download

– Create several app install-related prompts on the notification bar directing the victim to:

  • Download other apps from the Android Market
  • Visit a specific URL (likely malicious)
  • Download an application from an HTTP server showing a notification with progress bar, and on completion fire an intent to prompt an install (parameters: description, title, packagename, url, filename)
  • Download an updated APK for the infected application which would in turn download an updated version of the malware.

How to Stay Safe

Lookout Free and Lookout Premium users are currently protected against this malware. With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. As we uncover more details about DroidDream Light and related malware we’ll keep you updated.

  • Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permi