Bad Dream: Android apps Trojanized again

Three months ago, DroidDream Android malware spread via more than 50 legitimate apps. Just three weeks ago, around 30 more Android apps were Trojanized with DroidDreamLight malware. Both notable due to the number of apps Trojanized prior to detection, they are proof that cybercriminals are intensifying efforts to spread malware on this now popular platform. Downloaded from the Android Market as well as from third-party app stores, they also prove that buying from official app stores no longer avoids malware.

Same malware, different version?

DroidDream and DroidDreamLight infect Android mobile devices through Trojanized legitimate apps that steal user or device information. Unlike DroidDreamLight, DroidDream has ‘rooting’ capabilities, which means it provides root access and gives other users unrestricted permissions. Once triggered, it can install more undetectable malware into infected devices.

DroidDreamLight operates by collecting specific information from the infected device, such as device model, language, country, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, software development kit (SDK) version, and list of installed apps. Upon execution, it accesses several URLs (now inaccessible) to upload the stolen data.

Even though DroidDreamLight does not have rooting capabilities, it bears a lot of behavioral similarities with DroidDream. As such, they are perceived by some as two versions of the same malware.

Official app stores compromised

Where previously detected Trojanized Android apps spread via third-party app stores only, apps Trojanized with DroidDream and DroidDreamLight malware were also found in the Android Market. Thus disproving the notion that buying apps from official app stores can keep mobile devices malware free.

Trend Micro threats analyst Mark Balanza adds, “Because of the Android Market’s open nature, Android users are likely to encounter several Android malware posing as legitimate apps.”

Easily triggered – hard to spot

DroidDreamLight’s execution can be triggered by several things, such as receiving a voice call. When triggered, it initiates a malicious service called CoreService, which allows it to access a malicious server and upload stolen information. This service is, however, not instantly visible to affected users. Potentially more worrying is that there is actually no way of knowing if an app has been Trojanized until it is run. As such, anyone who wishes to download apps can be a likely victim.

Check your device and take precautions

To check if this malicious service is running on your device, go to Settings > Applications > Running Services.

Precautionary steps users can take include obtaining security software that can detect the malware prior to download if the download is done via a PC. Products in the Trend Micro™ Titanium™ suite detect the malware as ANDROIDOS_DORDRAE.L. A mobile security suite like Trend Micro™ Mobile Security for Android™ can also detect and delete DroidDreamLight malware from infected devices.

Users can also opt to manually remove the malware from their infected devices by uninstalling the Trojanized apps these came with. To do so, follow these steps:

1.Go to Settings > Applications > Manage Applications.
2.Find the application in question.
3.Uninstall the application. Doing this automatically deletes CoreService as well from the list of running services.


About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: