Last Updated on May 31, 2011

There is a new nightmare on the Android Market, and again many Android devices are not going to have a good awakening.

The last security advice for the Google Mobile OS comes from Lookout, which has discovered a new variant of the infamous DroidDream, the first malware conveyed by the Official Android Market capable of infecting at the beginning  of March, according to Symantec, between 50.000 and 200.000 devices.

This time the brand new version, dubbed DroidDreamLight, was found in 26 repackaged applications from 5 different developers distributed in the Android Market. According to Lookout DroidDreamLight is no less than is “noble” predecessor, since was able to affect between 30.000 and 120.000 users.

According to Lookout, the malicious components of DroidDream Light are invoked on receipt of an android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). As a consequence DroidDream Light does not depend on manual launch of the installed application to trigger its behavior.  The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages. It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention.

The list of the infected applications (already removed from Google) is available at the original link. I must confess I could not help noticing the rich amount of “hot” applications, which confirm (unfortunately) to be a lethal weapon for carrying malware.

This event will raise again the concerns about the security policies on the Android Market, and about the apparently unstoppable evolution of the mobile threat landscape which has brought for the Android a brand new malware capable of sending data to a remote server. A further step closer to a mobile botnet even if, at least for this time, with limited capabilities of auto-installing packages,.

I will have to update my presentation, meanwhile do not forget to follow the guidelines for a correct mobile behavior:

• Avoid “promiscuous” behaviours (perform rooting, sideloading or jaibreaking with caution, most of all in case of a device used for professional purpose);
• Do not accept virtual candies from unkown virtual individuals, i.e. only install applications from trusted sources, always check the origin and their permissions during installation;
• Beware of unusual behavior of the phone (DroidDream owes its name to the fact that he used to perform most of its malicious action from 11 P.M to 8 A.M.);
• Beware of risks hidden behind social Network (see my post of yesterday on mobile phishing);
• Use security software;
• Keep the device updated.

Related articles

• DroidDreamLight malware hits dozens of Android apps (venturebeat.com)
• Malicious apps removed from Android Market (news.cnet.com)
• Malicious apps removed from Android Market (news.cnet.com)
• Lookout Teams Pegs 25 Android Market Apps Infected With DroidDreamLight Malware (androidpolice.com)
• 30,000 to 120,000 Android Users Affected by New Variant of Droid Dream Malware (readwriteweb.com)
• New Android malware spotted: DroidDream Light (intomobile.com)