DroidDream autopsy: anatomy of an Android malware attack

The Android world is still reeling from the DroidDream invasion of the Android Market

The Android world is still reeling from the DroidDream invasion of the Android Market. Google has flipped the kill switch to wipe out apps associated with DroidDream, but the work of investigating how this Android Trojan infiltrated Google, and how to prevent similar attacks in the future is just beginning.

Lookout--a mobile security company with tools to protect Android smartphones--has been diligently exploring the DroidDream apps to figure out what makes this malware tick. First and foremost, DroidDream is a Trojan attack that is hidden within seemingly legitimate apps. What makes it more insidious than other Android Trojans is that DroidDream managed to weasel its way into the actual Android Market. Let's break down what else we know about this threat:

• The malware is aptly named because it is designed to only run while the Android smartphone owner is sleeping--ostensibly dreaming peacefully. DroidDream is configured to do its dirty work between 11pm and 8am.

• DroidDream relies on two known exploits--exploid and rageagainstthecage--to break out of the Android security sandbox. Ironically--both of the targeted vulnerabilities were patched in Android 2.3 "Gingerbread". In this case, Android's fragmentation proved to be an Achilles heel because--although Gingerbread has been available for a couple months--less than one percent of all Android smartphones have received the update. Android users are at the mercy of individual smartphone vendors to deploy the Android OS update for their specific smartphone model.

• Once the Android smartphone is rooted, DroidDream searches for a specific package named "com.android.providers.downloadsmanager". If the package is not found, DroidDream silently installs a second malicious app without the user's knowledge. Other malicious apps can be installed in stealth from the DroidDream command and control servers.

• DroidDream sends a variety of information from the smartphone to the remote command and control center, including: IMEI, IMSI, device model, SDK version, language, country, and user ID.

Lookout has found that DroidDream is a powerful zombie agent that can silently install any applications and execute code with root privileges at will. According to Lookout, DroidDream is also the first piece of Android malware that uses an exploit to gain root permissions and assume virtually limitless control of the infected smartphone.

The elephant in the room, though, is the fact that DroidDream exploits vulnerabilities that have already been identified and patched, but that 99 percent of Android users are still exposed because their smartphone has not yet been graced with the update to Gingerbread.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityspamantispamtrojan horsesvirusesPhonesAndroidphishingmalwareconsumer electronicsGooglesecurity

More about GoogleIMSIMSI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place