02
Mar
evil_android
Last Updated: March 6th, 2011

Update: Google has officially acknowledged DroidDream and is taking further steps to correct it. Details can be found here: Google Acknowledges DroidDream: Remotely Wiping Apps, Removing Exploit, Making Changes To Prevent It From Happening Again.

Wow - from our perspective, it's almost like the world exploded overnight. We have more information and details on the virus - which Lookout has named "DroidDream" (the word was consistently used in package names by the malware developers) - and some updates on where things stand.

First, we're absolutely amazed at how quickly Google reacted. As mentioned last night, our own Justin Case pinged a contact and the apps were pulled from the market within minutes. That's quite impressive, but then again, one of the developers whose app had been copied had been trying to get Goog on the job for just over a week. On the one hand, Google was quick to react to our hacker. On the other, they were slow to react to a developer, who should really be made the priority of the two. Either way, they pulled the app in question, and this is definitely one of those times that it's better late than never.

Google wasn't the only one on the ball: we were contacted late last night/early this morning by Symantec, Samsung, and Lookout. As the apps had already been pulled from the Market, they were looking to get their hands on the code - obviously, we obliged.  Lookout has already updated their app to identify DroidDream and protect their users. However, the apps are now effectively nuked, and it's unlikely the hackers will attempt to use the same code again, so it may be too late to ever be useful.

Now, on to some more details of the virus. We should point out that this vulnerability was patched with Gingerbread, meaning any device running Android 2.3+ should be fine. In other words, if you're looking to play the blame game (which I'm not, but having read all the comments on the original post, many people are), then there's plenty to go around. The hole was fixed by Google, but it's relatively useless since many phones aren't yet running a version of Android that is protected. It's noteworthy that some manufacturers released updates that patched the exploit for devices without updating to Gingerbread; unfortunately, it appears that minority is quite a small one.

Perhaps most important is the question of what infected users can do about their situation, but it seems the answer is "not much of anything." Because the virus opens up a backdoor and can bring in new code at any time, the only way to really rid an infected device of any damage is to completely wipe it - not exactly the optimal solution, but it looks like the only one available, at least for now.

Finally, Justin notes that ROM developers working with pre-Gingerbread versions of Android can prevent the virus from backdooring in code by putting a dummy file at /system/bin/profile.

Update: XDA to the rescue. XDA Member Rodderik has come up with a ZIP file that does just what Justin suggested, and creates a dummy file at /system/bin/profile. For details and a download link, head on over here.

[Image Credit: MobileCrunch]

Aaron Gingrich
Aaron is a geek who has always had a passion for technology. When not working or writing, he can be found spending time with his family, playing a game, or watching a movie.

  • http://www.twitter.com/zorr0theone Zorr0theone

    WTF please don't use a logo similar to mine damned...now everyone thinks I am the asshole!!

    • Aaron Gingrich

      LOL Sorry, it's actually from MobileCrunch!

  • http://kenkinder.com/ Ken

    I had an epiphany this morning.

    Windows is known for its security shortcomings, but can you imagine how much worse the situation would be if Best Buy and Compaq were in charge of Windows Update?

    Well, that's the situation right now with Android. You get security updates when your OEM and your carrier *get around to it*.

    Fundamentally, Google has to do something about carriers and OEMs controlling updates. It's simply not working, and this malware exploit is a big freaking reminder of that.

    • David Ruddock

      You know.

      I sort of agree with this analogy. And this analogy frightens me. It's not *exactly* the same, but it certainly is close.

      • http://www.vasanth.in Vasanth Dharmaraj

        I agree Google should have a better upgrade process. Waiting for carriers sucks.

      • http://www.toysdiva.com PixelSlave

        Well, it's "exactly" the same, David. The sales channels(ex, Best Buy) are often the carriers, and the PC makers are the smartphone makers.

        The ONLY difference, is that the sales channels are also the internet service provider -- so, imagine a world where Windows update has to go through your ISP (yea, Comcast, Time Warner, etc.)

        AndroidPolice had a 4-part series about the state of Android not long ago, and the 1st part of the series generated a heated debate of the update problem. Google needs to listen to us -- or at least signals that they are LISTENING. The thing is, Google can totally handle it. Apple can do it to the iPhone, Microsoft can do it to the Windows 7 Phone, HP can do it to the Palm ... Google is the ONLY smartphone OS maker that refuses to take on the responsibility to patch security holes on its own.

        Look, I am not going to bring the OEM. Or, put it this way, I never have any high expectation on their end. But I expect Google to do better than that. If they can beat the iPhone in terms of market share (which seemed almost impossible back then), they can certainly do something about it.

        • http://kenkinder.com/ Ken

          Google will point out that Android is an Open Source operating system and they can't stop carriers and OEM's from doing what they want.

          But what they never mention is that they do have control over "with Google" phones -- phones with Maps, Android Market, etc. And while there are a handful of requirements for the "with Google" label, having timely updates is not one of them. Google could exert some leverage by with their branding.

          The related problem is that if Google were to push updates themselves, they would have to manage all the hardware discrepancies. While Windows is designed to ship with every driver you'll never need, Android ships only with drivers necessary for your phone.

          If Google started taking control of the software update process like they should have from the beginning, they'd have to deal with all the driver differences between devices. As any Cyanogenmod developer will tell you, that's a tall order.

        • http://www.toysdiva.com PixelSlave

          I agree with you, Ken. It's not an easy task. But they have the responsibility to take care of that. Just saying Android is Open Source is not enough because they are clearly intended to benefit from the growth of the platform.

          There are 50000 downloads this time. What will this be next time? As the Android platform grows bigger and bigger, even an 1 day exploit will affect a lot of users.

          And when it comes to dealing with the driver differences. Yes, it's not easy. But if a not-for-profit group of developers can manage to support SO MANY devices already, there's no excuse for Google not to support more devices than, TWO.

        • Milind

          Ken, it's really not that difficult. Google needs to keep a driver repository and every phone manufacturer should only be allowed to use the Google Market if all the drivers for their phones are in the repository. No manufacturer can take longer than a certain time (a week?) to update the repository with drivers for the latest OS. I'm assuming here that drivers don't change extensively over versions. If true, then, anyone can just install the new OS. Google can ensure that the correct set of drivers are installed along with the OS.

          Google really needs to fix this. If they do this and nothing else for the next release, it will be better than adding umpteen features.

    • Brian

      "Fundamentally, Google has to do something about carriers and OEMs controlling updates."

      Yes. The problem is that the carriers have a stranglehold on the market, as Google learned with the Nexus One experiment. They're not going to give up their ability to deliberately cripple phones and charge to slightly uncripple them without a fight.

  • mrw

    Here we are in another bad situation for consumers that results from not having a truly competitive market in the mobile phone space. As consumers we can't readily take our phone and our business to another provider because of the barriers of incompatible radio technologies/frequencies and long-term contracts with steep opt out provisions. The carriers know this and thus have no real incentive to provide timely security updates even if Google makes them available. How much longer are we going to tolerate this?

    • http://kenkinder.com/ Ken

      Well, you can always buy a Nexus S or Nexus One. But yeah.

      • mrw

        Yeah, I use the N1, so I'm already protected from this little escapade. But it took more than two months for Google to get the protective update out. Also, aside from the update problem, in the USA I get 3G data on either ATT (in my case) or T-Mobile, but not both and no voice or data on Verizon or Sprint. So I effectively have a "choice" of one and one-half providers. In any other situation that would be considered non-competitive and there would be significant regulatory oversight. I'd prefer a competitive market over a regulated utility, but having neither is inexcusable.

      • Sackboy

        Nexus One from Germany here. Still on 2.2.1 because outside the U.S. and U.K. the carriers are updating even the Nexus One. For example in Europe its mostly done by Vodafone and they are giving a damn about a one year old Nexus One. Enjoy your Malware with the pure Google experience.

      • vernon

        some countries do not get the nexus series from google...one of those countries is south africa. i am gonna hold on to my original desire till google brings dsire ..my point is, we are force to buy oem dirtied android os.htc is great but they are still slow to updating their devices...

  • Tat3rt0T

    Do we know if this buried itself in the recovery?

  • http://www.toysdiva.com PixelSlave

    >> Because the virus opens up a backdoor and can bring in new code at any time, the only way to really rid an infected device of any damage is to completely wipe the device

    Since the malware roots the phone, may be one can use Titanium to back up all the data, then flash to a trusted ROM and restore. It's not ideal, but it's better than wiping w/o backup.

    • Rotmann

      What if you back up and restore the malware too? :D

      • http://www.toysdiva.com PixelSlave

        Well, of course, you can't do a batch restore. Just restore the clean app one by one.

        • Eggcake

          That's not an option as you have no idea what the trojan actually did.

        • http://www.toysdiva.com PixelSlave

          I am not saying it's 100% safe. But restoring just the data should be ok, especially if you just restore the data selectively. Sure, the app might inject something into the data that could exploit other holes in the system even if you install a completely fresh system -- but if one doesn't want to wipe clean and start from scratch, this is probably the only way.

    • chris

      Just as a point of interest to me, how does the malware root the device? I have a desire HD on 1.72 and I can't find out how to root it. How does the malware manage to root so many phones, that seem to have loads of different methods of gaining root access?

  • Rob

    Where can I find which apps are infected?

    • http://www.AndroidPolice.com Artem Russakovskii

      The original post has the names.

  • weincube

    I have no tech skills, and don't know what half of this stuff means. I don't know if I've been infected, or what to do besides wipe my phone clean and start over. Is there anything you could recommend? Change banking passwords, things of that nature? Specific steps to follow, that a child could understand? Thank you.

  • Chaitanya

    We have done some work on Android. Here's a demonstration of a Trojan on Android: http://www.youtube.com/watch?v=PovAQN7yhhk
    The app steals user data and location, and sends it to an attacker server. The movement of the attacked user can be plotted on a map in near real-time.

    This might not be directly related, but it was fun to code this.. :)

  • bruno411

    Is there a link where someone explains how to tell if your Android phone is infected? I downloaded "Basketball Shot", but I deleted it...don't know when, there is no record in my application list. Can I tell after the fact?

  • Karuza

    I'm in a similar situation. I had downloaded Photo Editor Monday night but removed it earlier today, didn't check the developer name on it (I have a feeling it was myournet, though). I installed Lookout but is there anything else I need to do other than the blank profile file?

    • http://www.toysdiva.com PixelSlave

      Karuza, I can't promise it's 100% safe. And, please check out Eggcake's comment above regarding my suggestion.

      You may try installing Titanium Backup. Then back up your data -- DATA ONLY, and preferably, only the data that you absolutely must retain.

      Then wipe your phone clean and install a clean third party ROM, or revert your phone back to the factory ROM, then root it.

      After that, re-download Titanium Backup and restore your data.

      Again, it is not 100% safe. The app might do a lot of things that no one yet find out (ex, it might anticipate the usage of Titanium Backup, hijack the backup process and inject some malicious codes into your data backup.)

  • http://androidtablets.net xaueious

    Can Justin key us in on more information about this patch?

    What does it do? Does it prevent future exploits?

    The XDA post linked is an update.zip for the Epic. I repacked an update.zip for all devices. But I'm not convinced about what this actually does.

    • unhappybirthday

      Unfortunately, it looks like you may need to have root access to your device to perform the workaround fix. Like it or not, the Android-based phones are being marketed and sold to many more non-technical customers than to *nix coders. Root access is not a good place for most people to go.

      • http://www.toysdiva.com PixelSlave

        But didn't that malware monster actually root the phone?

        • Chris66

          It got root access via a Android security hole but it did not "root" the phone.

          Maybe it would be possible to create a apk that uses this security hole to install the patch.

  • Cunque

    I have a Dell Streak. Not rooted. After I wiped it. My google account is syncing automatically and re-installing the apps. is this safe. Should I stop sync?

    • http://www.toysdiva.com PixelSlave

      When you said you wiped it, exactly how you did it? Generally speaking, if you wiped the entire phone clean, you should be safe because none of the original stuffs in your phone are preserved. Since Google already removed the malwares, re-syncing and re-installation of the apps won't cause any harms.

      But if you only wipe the cache, or just the data, the damage done by the malwares might still be presented.

  • TheDivina

    I actually had my phone hacked as well (Advanced Barcode Scanner). The attacker did manage to steal my data because they were able to sign into my gmail account(the one linked to my phone) and send spam emails to all of my contacts. The ip address was listed as mexico, but it was probably just a proxy. I didn't see such activity on my linked facebook account. within 5 min of the attack I changed all of my passwords and have not reconnected my phone to them since the root code is probably still there, I also have not seen further activity on my gmail. Since the other crucial phone info was probably captured I fear that it could be cloned and used for who knows what.

    • http://www.toysdiva.com PixelSlave

      Sorry to hear that. I don't know what to say to you, but may be if you learn that tens of thousands of iTunes account are actively being auctioned off in Chinese auction sites daily for tiny amount of money and there are still no widespread media coverage in the US could make you feel better?

  • yen

    For Google, selling Ads is where they make the money. Android OS and device just a vehicle for Google and ECO system to expending the mobile Ads business. I'm not sure Google want to take on the role of Apple or MS. They certain can do better but only time will tell.

  • Steve

    Oooh, Android Police have made the BBC News!

    http://www.bbc.co.uk/news/technology-12633923

    Although they're calling it a "Mobile security site" :)

  • monty

    So how can any app be trusted now? The trust of the google market is gone now.

    No one has mentioned catching anyone responsible so I take it anyone can upload apps to the market completely anonymously??? If not what are google doing to catch the cu*ts responsible?

  • Jay

    Can't you just run a root check application to see if your phone has been rooted?

    • Aaron Gingrich

      Theoretically that should work. I don't see why it wouldn't, but I'm not a dev so I can't say for certain.

  • xai

    By "completely wiping it" did you mean by... something like factory data reset such as erasing all data on phone and memory card? Will My phone be safe after doing so??!

    • Aaron Gingrich

      That's the idea, yes.

  • Fin

    I have downloaded Spider Man (it is still listed as a downloaded App in my settings) - but not listed under My Apps in the Market Place. My phone is currently switched off.

    1. Can I ask if there is a way to check if I have been infected with DroidDream? - e.g. can I search my phone for the filename that has been mentioned on some blogs?

    2. Does anyone know if there was both a 'safe' version and a 'malicious' version of Spider Man, if so, is there a way of checking which version I have?

    3. All my contacts are all on Google, i.e. not on Sim or phone. Factory resetting won't be a complete nightmare, except: is there any way to save photos/videos? This may be a silly question, but if I were to put my SD card into my desktop card reader, would I risk infecting my desktop, which is protected by AntiVirus?

    I have changed my Gmail password using my desktop computer. I don't use that password for anything else. I will check on Gmail site if there is any way of checking what IP addresses have been used to access my Gmail account recently - unless anyone here can point me in the correct direction to check...

    I don't even know if it is safe to switch on my phone to phone my mobile operator!

  • http://www.toysdiva.com PixelSlave

    >> is there any way to save photos/videos? This may be a silly question, but if I were to put my SD card into my desktop card reader, would I risk infecting my desktop, which is protected by AntiVirus?

    Never say never, but the chance you would infect your desktop is next to zero.

  • Chris66

    Hi,
    how long have the mentioned 50 malware apps been in the Market? One week or so?

    Is it possible to use 'aLogCat' to check my phone for malicious behavior?

    Chris (HTC Hero A2.1)

  • Fin

    I have the Spider Man App installed (one of those listed as being malicious).

    I have run a "Lookout" Scan and it says that No malware or spyware apps found.

    I don't understand ... please can someone please let me know whether or not I am infected?

  • Chris66

    Hi,
    google is remote deleting the infected apps and anounced to provide a patch.
    http://goo.gl/uqs8L

Quantcast