- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Mobile security vendor: DroidDream pulling Android into botnet army
Lookout first contacted me about this malware last week, and since then security news headlines have been ablaze with details about a tainted Android app market.
Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.
Here's the latest raw research from Lookout, sent to me by company spokesperson Cerena Hsieh:
Lookout has taken a closer look at DroidDream to further understand the malware’s intent. We found that DroidDream could be considered a powerful zombie agent that can install any applications silently and execute code with root privileges at will; it is the first piece of Android malware we’ve seen that uses an exploit to gain root permissions, thereby giving it a substantial amount of control over an infected device. Additionally, the malware is very aptly named – it was configured to only run in the evening (from 11 p.m. to 8 a.m.) -- a time when the owner of an infected device would most likely be sleeping and not notice any strange behaviors on the phone.
After analyzing the second phase of DroidDream, we’ve concluded that its purpose is to download additional applications and install them silently as system applications on the device. The first phase of the malware served to gain root access on the device while the second phase predominantly serves to maintain a connection to the server to download and install other files.
-The second stage of the malware sends additional personal information to its command and control server:
-ProductID – Specific to the DroidDream variant
-Partner – Specific to the DroidDream variant
-Model & SDK value
-UserID (Though this does not appear to be fully implemented)
-Applications supplied by DroidDream’s command and control center can be silently downloaded to the infected device.
In the malware, there also appears to be a command dealing with ratings, comments, assetIDs and install states, all of which relate to the Android Market. Though these appear incomplete, it’s possible the author(s) intended to listen to Android Market downloads and possibly to trigger downloads and comments on downloaded applications.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
As everyone's attention shifts to smartphones, Android is emerging as the target of choice. Perhaps I oversimplify things, but where there's a surge in market share, there tends to be the most smoke and fire.
So when a company like Lookout suggests Androids are now the target of botnet herders, I tend to believe it.
Contributing writer Robert Lemos is digging into this issue more deeply, and we'll have more to report on this in the coming days.
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.