Google Removes 26 Infected Apps From Android Market

Google has removed 26 Apps said to be infected with a stripped down version of DriodDream

A security firm has warned that the original developers behind DroidDream have added more applications to the Android Market with a stripped-down version of the original Android malware.

A total of 26 applications in the official Android Market were found to contain malware that can steal significant amount of personal data, Lookout Security said 30 May.

The new Droid Dream Light is a modified version of the DroidDream that infected over 50 applications back in March. Droid Dream Light is believed to have already affected “between 30,000 and 120,000 users,” according to Lookout.

Infectious Apps

Lookout Security identified Droid Dream Light after a developer noticed that modified versions of his app and another developer’s app were being distributed in the Android Market under another developer account. Lookout Security Team identified the malicious code “grafted” into the apps and found similarities between the new code and the previously analysed DroidDream samples.

Google has removed all of the apps known to be infected from the Android Market, according to Lookout. Five different developer accounts were behind the infected apps, including Magic Photo Studio, Mango Studio, ET Tean, BeeGoo and DroidPlus.

Despite the name, Droid Dream Light does not appear to be any less malicious or less complex than the original DroidDream. In fact, it can be considered more dangerous as it does not depend on the user to launch the app to execute. It also collects a lot of information, including the unique IMEI (international mobile equipment identity) identifier, IMSI (or International Mobile Subscriber Identifier), SDK version, handset model, and information about installed packages on the Android device, Lookout said.

Droid Dream Light is triggered when the “android.intent.action.PHONE_STATE” value is set, such as when the user receiving an incoming phone call, according to Lookout. While the latest malware is capable of downloading new packages and prompting users to install them, it differs from DroidDream in that it can’t actually perform the update without the user accepting and approving the update requests.

The apps also contained code that could be triggered when users received text messages, F-Secure researchers found.

Mobile Botnet

“The added code will connect to a server and send details about the infected handset to the malware authors,” F-Secure Chief Research Officer Mikko Hypponen wrote. “So we’re talking about a mobile botnet.”

Google discovered and removed 58 apps on the Android Market in early March when DroidDream first broke on the scene. Google also took the unprecedented step of using its “remote kill switch” which allowed it to automatically remove the malicious apps that had already been installed on Android devices. The company made a number of changes to try to prevent this kind of infection from happening again.

Users need to use “common sense” when installing apps and check the permissions that newly downloaded apps are requesting, Lookout said. The permissions should match the features the app provides. For example, one of the infected apps was supposed to simply display images in a gallery format and “was originally harmless,” according to Hypponen. The malware infected “Magic Photo Studio” version requested permission for full Internet access and be able to read phone state and identity.

Lookout recommends users install a mobile security app that scans every app being downloaded to ensure it is safe. Lookout, F-Secure and Webroot are just a handful of companies offering a mobile security app for Android users.