Called DroidDream the malware gained root access to devices running Android 2.2.1 (Froyo) and older to access sensitive information such as a device’s unique identifying numbers–International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI)– as well as the device’s language, phone model and, in some cases, UserID.
If something has root access to your device, it means the software could potentially take control of the entire device and any data stored on it.
Mobile security firm Lookout isn’t sure what DroidDream was designed to do once it gained access to your phone, but the company said the possibilities were “limitless.” DroidDream had been discovered in third-party app stores before, but this was the first time it had popped up in the official Android Market.
With Google starting to remove the malware from infected devices and promising to beef up security for the Android Market, it appears the DroidDream threat will be limited. Nevertheless, if you’ve got an Android device and are worried you might be infected, here’s what you need to know.
Which applications were loaded with DroidDream?
The more than 50 malware-laden apps in the Android Market included software created by three developers: Kingmall2010, we20090202, and Myournet. Malicious titles included Super Guitar Solo, Hot Sexy Videos, Super Stopwatch & Timer, Bubble Shoot, and Quick Delete Contacts. You can find a complete list of infected apps on Lookout’s blog.
Have the malicious apps been removed from the Android Market?
Google said late Tuesday that all DroidDream-infected apps were removed from the Market.
I am infected. When can I expect Google to wipe the apps?
Google said anyone with an infected device could expect to hear from email@example.com by the evening of Tuesday, March 8. The search giant will also install a new security update on your device called “Android Market Security Tool March 2011.” The update will automatically undo the exploit.
Wait a second — Google can remotely wipe data from my device?
It’s not clear what the DroidDream attackers planned to do with the infected phones, but with root access the attackers could have downloaded more malicious software to your handset or attempted to pull more personal data from your device.
What exactly did DroidDream do?
DroidDream was embedded within more than 50 Android apps, and would gain root access to your Android device after you ran the app for the first time. It would then install a second application, which required special permission to uninstall. After that, an exploited phone could have more malicious apps installed on it and send more of your data to the DroidDream attackers.
Interestingly, DroidDream was designed to do most of its dirty work between 11 p.m. and 8 a.m. when most people would be sleeping and the phone was less likely to be in use. This made it harder for you to detect abnormal behavior with your device. For a complete breakdown of how DroidDream worked, check out this post on Lookout’s blog.
What is Google doing to secure the Android Market?
Google said it is adding “a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market.”
The company didn’t specify what those measures were. It’s not clear if Google intends to vet applications prior to the app’s introduction into the Android Market, similar to what Apple does for iPhone and iPad applications.