DroidDream authors again pollute Android Market

Almost three dozen applications sporting a stripped down version of DroidDream have been identified in the Android Market.

More than 30,000 Android users have inadvertently downloaded and installed a malicious program written by the same group that created DroidDream, according to mobile-security software maker Lookout.

At least 34 pirated applications posted to Google's Android Market under six different names included a stripped down version of the DroidDream malware that infected more than a quarter million phones in March, the company says. The firm first identified the malware after being notified by a developer whose application had been pirated and turned into a Trojan horse for delivering the latest version of the malicious code.

"These apps contained malware that is substantially similar to DroidDream but have a little less functionality in that it didn't root devices," says Kevin Mahaffey, chief technology officer for Lookout. "Given the evidence that it is the same code in all of these apps, it would be nearly impossible for different people to independently create all of these things."

In March, Google pulled more than 50 Trojan applications from the Android Market after Lookout found them all to be infected with DroidDream, a malicious program that attempted to gain privilege access on the host device. If it gained root access, DroidDream would send phone-specific information -- such as the hardware, software and service identifiers -- to a command-and-control server, after which the infected phone could download additional functionality.

The more recent program, dubbed DroidDream Lite (DDLite) by Lookout, also sends identification information -- such as the software and service IDs as well as a full list of applications on the vicitm's device -- to a command-and-control server. Yet, while it has functions to download and update the software, the code cannot install the update without user intervention, the company says.

While the command-and-control server was still online Tuesday, the hubs typically get taken down very quickly after the attacks are outed, says Mahaffey.

Google has removed the applications from the Android Market pending an investigation into the functionality. It has not yet remotely removed the programs from affected devices, Mahaffey says.

"Some people ask, 'Why haven't they pulled them from devices?'" he says. "It's good that Google is preventing anyone from downloading the applications, but they wield their remote removal tool very carefully."

The outbreak affected less than half of the users infected with the original DroidDream, according to Lookout's numbers. People who have installed an application hosting DDLite on their phone can uninstall it with no side effects, Mahaffey says.

Copyright © 2011 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.