How to protect your Optimus from DroidDream Malware

[Bigtuna00]

EDITED for clarity and to remove endorsement of the Lookout app.

Note: If you are running a custom ROM, go here: http://forum.androidcentral.com/opt...48-patch-malware-block-3-6-11-froyo-only.html

Problem:

There is an exploitable back door in Froyo versions 2.2.1 and older. Malware that uses this exploit has been referred to as the "DroidDream" trojan. The LG Optimus V is currently on 2.2.1, so it is vulnerable.

Background:

An Update on Android Market Security - Official Google Mobile Blog

The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police

[Updated] Google Acknowledges DroidDream: Remotely Wiping Apps, Removing Exploit, Making Changes To Prevent It From Happening Again | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police

Solution:

There are several apps in the Android Market that can remove these Trojans and undo the damage they cause. Simply search the Market for "droiddream" and you will find several options, including one directly from Google called the "Market Security Update".

WARNING: none of these apps permanently fix the exploit, they only remove the Trojans. The only permanent fix is to move to Android 2.2.2 or newer.

Mods: until such time as Virgin releases a patch for this, you may want to sticky this thread...

 

[digitaljeannie]

So how do I know that these programs and patches are not, themselves, just clever ruses to get people to install infected items onto their device?

 

[scootincivic]

Droid dreamer cleaner doesn't work as it will not scan ~

Sent from my Optimus V vai Tapatalk

 

[Bigtuna00]

So how do I know that these programs and patches are not, themselves, just clever ruses to get people to install infected items onto their device?

You don't, unless you have access to the source code.

How do you know Android OS is not a clever ruse to collect your personal information for Google's benefit?

But seriously:

First, when you install an app from the Market you can see what permissions it needs.

Second Lookout is a reputable company.

Third I'm not vouching for the custom ROM patch but if you're rooted and running a custom ROM you've already taken the responsibility.

 

[Bigtuna00]

Droid dreamer cleaner doesn't work as it will not scan ~

Don't understand that this post means, but it worked fine for me. Are you getting an error? If so perhaps you should contact Lookout?

 

[digitaljeannie]

What makes that DroidDream Cleaner app a little fishy to me is that it's made by "Lookout Labs", however, Lookout, the security app, is make by "Lookout Inc" Why the two different names if they're made by the same company?

Perhaps why I've never encountered any of these malware apps as of yet is because I am so very paranoid about what I download and from where and from who.

 

[Eollie]

I tend to agree with dj, also google knows what devices were infected and sent out emails. They remotely removed the apps and installed the fix listed in another thread.

I have sent a email to Lookout asking about the app.
Personally I would wait and see what they say.

 

[digitaljeannie]

They remotely removed the apps and installed the fix listed in another thread.

I am not certain where exactly that patch originated and it didn't come from Google so I won't be installing it. There is an app in the market from Google which fixes the exploit but it cautions that it will be pushed only to those devices that need it and we need not download it ourselves.

Why would I risk creating other issues unknown by installing a "fix" to a problem I haven't developed?

 

[Eollie]

Brian Noble, Mar-31 01:29 pm (PDT):
Hi Eollie,

DroidDream cleaner is an app from us, Lookout. I would recommend you review our technical analysis on the malware here The Official Lookout Blog | Technical Analysis and we blogged about our DroidDream app here The Official Lookout Blog | What To Do If Your Phone Is Infected with DroidDream Malware.

Thank you for using Lookout.

Guess this settles it.

 

[digitaljeannie]

Guess this settles it.

Awesome. Good to know. Thank you for seeking that clarification and sharing.

 

[Eollie]

I am not certain where exactly that patch originated and it didn't come from Google so I won't be installing it. There is an app in the market from Google which fixes the exploit but it cautions that it will be pushed only to those devices that need it and we need not download it ourselves.

Why would I risk creating other issues unknown by installing a "fix" to a problem I haven't developed?

As I didnt research that specific .apk, I do have this to say about it.
It matches the patch sent out to various people I know that have 2.2.1 and had the misfortune of downloading one of the malicous apps.

As Im using 2.3 I have no need to download this at all. I just shared your opinion in that the creators had different names. That is how the exploit got sent out to begin with kanging apps and renaming them with the added exploits.

 

[Bigtuna00]

I tend to agree with dj, also google knows what devices were infected and sent out emails. They remotely removed the apps and installed the fix listed in another thread.

I wasn't aware that Google pushed the fix, I should ready my own citations

However it sounds like this was a one-time thing and, if you got skipped or happened to install an app with the exploit after the fact you'd still be infected. Do you have any information that indicates Google is still actively checking phones? I.e. the first comment on the Google blog pretty much summarizes my concern:

For devices vulnerable but unaffected currently you list no resolution.

If Google actually is managing this it seems the Lookout app is completely necessary.

 

[Eollie]

As far as I know they have been monitoring apps uploaded by "devs" that are extremely new. They never said what they consider extremely new tho lol.

The original rollout was over a weeks time. And if you were affected they remotely removed the apps and sent you a email letting you know.

The Lookout app is still useful incase some of these apps turn up on various sites and people install them thinking they are something else. Personally Im using a app called privacy defender and it modifies the app with bogus info regarding things like meid and phone number. It also changes some other info that you can specify.


In response to the comment. they removed the apps pushed a fix. And notified people that were affected. If you were not affected there was/is no reason to worry about fixing something that is not broke. However like I said it wouldnt surprise me some of these apps are still floating about on the net. With so many people using hacked apps because they are too cheap to buy them it would be beneficial to run either this app or the one listed in the other thread.

 

[Bigtuna00]

In response to the comment. they removed the apps pushed a fix. And notified people that were affected. If you were not affected there was/is no reason to worry about fixing something that is not broke. However like I said it wouldnt surprise me some of these apps are still floating about on the net. With so many people using hacked apps because they are too cheap to buy them it would be beneficial to run either this app or the one listed in the other thread.

That's pretty much the point of the comment (and my question) So we are in agreement, it looks like the Lookout app (or something similar) is still necessary.

 

[Eollie]

That's pretty much the point of the comment (and my question) So we are in agreement, it looks like the Lookout app (or something similar) is still necessary.

Necessary..no advised YES.

 

[Bigtuna00]

I'm confused; how do you address the issue without something like the lookout app?

Edit: or are you just arguing the semantics of the word "necessary"? Sure you don't NEED to remove viruses but that's just being silly...

Edit2: let me clarify what I mean:

• Right now, today, this back door still exists in 2.2.1.
• 2.2.2 and newer are not affected.
• You can't get the Trojan apps from the Market anymore (we assume) but you can certainly side-load them (Amazon App Store anyone?).
• Assumption: if you side-load them Google won't detect it and, therefore, won't fix it.
• None of these apps permanently fix the back door. They only remove the Trojans and back out the changes made. If you install another Trojan, it will happen again. The only permanent fix is an OS update.
• Therefore something like the Lookout App (or the Google Market Security Update app, or whichever app you like) is *necessary* in order to fix the problem until such time as we get an OS update to 2.2.2 or newer.

Make sense?

 

[JerryScript]

So long as the Android Market doesn't vet apps before offering them, this exploit is a danger to anyone running <=2.2.1, as apps with similar code can still be posted to the market without being vetted.

The Amazon App Store is actually a bit safer, since they don't offer apps they haven't vetted themselves.

 

[Eollie]

Again its not necessary.
If you are using any type of AV on your phone they all have been updated to catch the exploit while scanning.

Lookout caught another 25 apps after the fact just by adding in the a quick update withing 24 hours of the droiddream being outed. Also it was a third party dev that caught it NONE of the AVs for our phone caught it until it was posted on Android Police.

What this app does is scans to see if you currently have a malicous app installed removed and patches with the profile fix.

I would simply say its advised to use it but if your careful then no its not necessary.

Also as Jerry said amazon has said already all apps posted on their appstore have to be approved and vetted before they can be made public. That is why so many people feel it is the better place to post apps. Plus they dont take as much of a cut as google does.

 

[Eollie]

Holy smokes multiple post FTL...

 

[Bigtuna00]

Okay, you are just arguing the semantics of "necessary". Just wanted to be sure. That being the case I stand by what I said.