DroidDream Android malware contains hidden payload

A closer analysis of the DroidDream malware found embedded in applications on the Android Market shows a second payload that may cause further security problems.

Kevin Mahaffey, chief technical officer at Lookout, told V3.co.uk that the DroidDream software searches for a specific package named com.android.providers.downloadsmanager.

If this is not present, it installs a second piece of code. Analysis of this second payload is continuing, but could be the underpinnings to create a botnet.

"We're still analysing the application, so I'll draw a line between what we know for sure. So far this code has used an exploit to route the phone and break out of the security sandbox," said Mahaffey.

The initial attack came via two known flaws in the Android operating system, exploid and rageagainstthecage, which have been patched in version 2.3. Initially it sends the IMEI, IMSI, device model and SDK version to a remote command and control server.

The malware was initially spread by three software developers on the Android Market who inserted it into 55 basic applications in a variety of languages. They then submitted applications, inserted the malware and recertified the package for distribution.

The case shows the problems and benefits of an open system from a security standpoint. Android Market's open nature is in contrast to companies like Apple and Amazon, which certify applications and decide what to allow.

However, malware has made it onto Apple's App Store, and Android's open source approach detected the virus quickly.

"A community-enforced model, in this case, was a silver lining," Mahaffey said. "This all came to light because one developer put his hand up and said: 'I found something' because he had the tools to do so."