New details have emerged regarding the purpose behind the DroidDream malware that was found in over 50 applications in the Android Market last week. After a brief investigation, Google opted to use its “remote kill switch” this weekend to wipe the vicious apps off end users’ mobile phones. Google also promised that going forward, it was “adding a number of measures to help prevent malicious applications using similar exploits from being distributed through the Android Market” in the future.
But how dangerous was DroidDream, after all? What was it up to? And was it able to inflect any real damage to end users’ devices before it was removed?
According to Lookout, a security firm which makes an anti-malware application for Android phones, DroidDream was the first piece of malware to use an exploit that gave it root permissions over the device. In layman’s terms, that means that the malware had complete administrative control over the phone. Or in iPhone terms, it would be like you downloaded an app that jailbroke your phone without your knowledge.
Evil Androids Wake at Night, Do Server’s Bidding
But what was the malware’s purpose? This appears to still be somewhat of a mystery. Much of the code appeared to be incomplete – a work in progress where some of its most dangerous aspects were still yet to be implemented. Instead, the malware was configured to run overnight – from the hours of 11 PM to 8 AM – when the phone’s owner was probably sleeping and wouldn’t notice strange behaviors on the phone, says Lookout. During this time, the malware author(s) could send down new code and new instructions and ask the phone to do their bidding.
Upon installation, DroidDream would initially root the phone, as mentioned above, and install a second app that prevented its removal. It then sent select information about the phone to a remote server, the “command and control server,” which tells the malware what actions to perform.
The details it collected, while disturbing of course, were not really that bad in the grand scheme of things. It did not attempt to determine a user’s password, phone number or sensitive financial information, it appears. It didn’t steal your files or photos. It didn’t login into your Gmail account and send out spam (well…yet). Lookout says that DroidDream gathered only the following info: ProductID, Partner, IMSI, IMEI, Model and SDK value, language, country and UserID. This is “device-specific” information, explains Google. Not personal info.
What’s really interesting is that DroidDream had a commands section that dealt with details relating to the Android Market: ratings, comments, assetIDs and install states, specifically. Although incomplete, Lookout says it’s possible the author(s) intended to listen to Android Market downloads and possibly to trigger downloads and comments on downloaded applications.
Those instructions could have been there to boost the ratings of its own malware-infected apps on the Market and to leave comments that would give them an air of legitimacy. That, in turn, would have encouraged more downloads of the apps in question.
Mobile Botnet Creation was DroidDream’s End Goal
But at the end of the day, DroidDream’s goal was not identity theft – although that could have come later – it was to set up a system for downloading and installing additional applications on the end users’ phone without their knowledge. DroidDream was laying the groundwork for a comprehensive system of remotely-controlled Android phones. A mobile botnet.
Zombie Androids.
DroidDream would have created a mobile botnet similar to those we have today in the PC world. There, infected, virus-laden Windows PCs are now controlled by remote servers for purposes that include everything from sending spam emails to launching distributed denial of service attacks on remote targets. For example, the attacks the online group Anonymous launched towards businesses and organizations severing ties with Wikileaks were botnet-driven. A botnet’s creator (the bot herder) can rent out his zombie machines to others for financial gain. It can be a lucrative business, in fact. It’s not surprising that someone would attempt to build a botnet using mobile phones, given their growing market share and capabilities. This won’t be the last time we see such malware, either, we can guarantee. This is only the beginning.
What’s Google Doing?
When asked what, specifically, Google was doing to make good on its promise to make sure threats like this are kept out of the Market in the future, a company spokesperson would not go on record to provide details.
However, people with knowledge of Google’s plans say that the company will not take the dramatic step of pre-screening applications for security issues prior to their inclusion in the official Android Market. There will be no “curation” of apps, a la Apple. The Android Market will continue to be the open app store it is today, where Google only steps in after issues occur, not prior.
These plans seem to fit with what Google says it’s working on: closing security holes (aka “working with our partners to provide the fix for the underlying security issues.”) But Google can’t lock down Android completely, nor does it want to. That leaves room for more mobile malware creations to make their way to users’ phones in the future. For end users, it means the burden is on them to be vigilant with app installations and security. And for Android developers, the challenge will not only be getting their app discovered from a group of hundreds of thousands of others, but establishing an app is safe and trustworthy, too.
