• United States



Mobile security vendor: DroidDream pulling Android into botnet army

Mar 07, 20113 mins
Data and Information Security

New research from Lookout Mobile Security suggests the DroidDream malware is designed to extend the botnet threat to mobile devices — Android, in this case.

Lookout first contacted me about this malware last week, and since then security news headlines have been ablaze with details about a tainted Android app market.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Here’s the latest raw research from Lookout, sent to me by company spokesperson Cerena Hsieh:

Lookout has taken a closer look at DroidDream to further understand the malware’s intent. We found that DroidDream could be considered a powerful zombie agent that can install any applications silently and execute code with root privileges at will; it is the first piece of Android malware we’ve seen that uses an exploit to gain root permissions, thereby giving it a substantial amount of control over an infected device. Additionally, the malware is very aptly named – it was configured to only run in the evening (from 11 p.m. to 8 a.m.) — a time when the owner of an infected device would most likely be sleeping and not notice any strange behaviors on the phone.

After analyzing the second phase of DroidDream, we’ve concluded that its purpose is to download additional applications and install them silently as system applications on the device. The first phase of the malware served to gain root access on the device while the second phase predominantly serves to maintain a connection to the server to download and install other files.

Other findings:

-The second stage of the malware sends additional personal information to its command and control server:

-ProductID – Specific to the DroidDream variant

-Partner – Specific to the DroidDream variant



-Model & SDK value



-UserID (Though this does not appear to be fully implemented)

-Applications supplied by DroidDream’s command and control center can be silently downloaded to the infected device.

In the malware, there also appears to be a command dealing with ratings, comments, assetIDs and install states, all of which relate to the Android Market. Though these appear incomplete, it’s possible the author(s) intended to listen to Android Market downloads and possibly to trigger downloads and comments on downloaded view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

As everyone’s attention shifts to smartphones, Android is emerging as the target of choice. Perhaps I oversimplify things, but where there’s a surge in market share, there tends to be the most smoke and fire.

So when a company like Lookout suggests Androids are now the target of botnet herders, I tend to believe it.

Contributing writer Robert Lemos is digging into this issue more deeply, and we’ll have more to report on this in the coming days.

–Bill Brenner