1. timkedojeh's Avatar
    DroidDream is the common name for a new type of malware that has been found in the wild that affects devices running Android. This is also the first report of malware found in apps that are in Google's Android Market. This discussion thread is meant to collect and organize information regarding DroidDream, and to inform users on potential methods of cleaning and protecting themselves from this infection.

    None of the information that follows is official; it is mostly compiled from user discussion and speculation. I take no responsibility for any damage or data loss that results from following instructions or applying fixes that are posted; perform these fixes yourself at your own risk, and take your device back to the store for help if you feel uncomfortable.

    [update] This post has been updated to include Google's official response.


    What is DroidDream?
    DroidDream is a malicious trojan that has been found in Android apps. These apps are usually counterfeits of popular apps on the Android Market, and were (prior to Google's intervention) available on the Market itself.

    So far, three developers have been identified as releasing apps containing DroidDream: "Kingmall2010", "we20090202", and "Myournet". These developers and their apps have been suspended from the Android Market, but there are conflicting reports of whether or not Google has removed the apps from user devices.

    What does DroidDream do?
    DroidDream, when run, uses an common exploit to root the user's device without their knowledge, allowing the app superuser rights to the device. Once it has done this, it can access any data stored on the device.

    The malware has been found to send the IMEI and IMSI code from the device and transmit it to a third-party, remote server. The malware has also been discovered to contain a backdoor that allows for additional code and instructions to be uploaded to the device afterwards, even after the original app has been deleted.

    Who is at risk of infection from DroidDream?
    Potentially, anyone running an Android device could be infected by DroidDream. However, Google released a patch to Android in version 2.2.2 that removes the ability for the root exploit to run, thus preventing the malware from working. Therefore, users running Android 2.2.2, 2.3, 2.4, and 3.0 should not be affected by DroidDream. However, if you have downloaded one of the malicious apps, it is still recommended that you remove the malware from your device.

    How do I remove DroidDream from my device?
    Because DroidDream leaves a backdoor on the user's device, simply deleting the malicious app is not believed to clean the infection or prevent future problems. Also, because DroidDream has superuser rights on the phone, the infection could survive a wipe using a custom recovery. Only a complete factory reset to stock using a manufacturer-provided image or utility is currently considered satisfactory to remove all traces of DroidDream.

    [update] Google is now in the process of removing malicious applications from user devices using their remote kill-switch capability. It has still not been indicated that this will fully clean the malware from the device, however.

    How do I perform a factory reset on my device?
    Manufacturer-provided images and utilities to reset your device to stock can be found in the device-specific forums. Most device-specific forums have a stickied thread indicating how to return to stock; look for a RUU, ODIN, or .sbf file in these threads and follow the instructions. I will post device-specific instructions as I find them.

    If you cannot find a manufacturer-provided image or utility for your device, or if you feel uncomfortable performing a factory reset on your device yourself, your best course of action is to take the device to a carrier corporate store or original point of sale, or to contact the manufacturer of your device for additional assistance.

    How can I prevent DroidDream from infecting me in the future?
    As of now, Google has pulled what apps on the Market that are known to contain DroidDream. However, there still could be more apps yet undiscovered on the Market that are infected.

    Lookout and several other antivirus vendors have indicated that their products can scan for and identify apps containing DroidDream. Installing one of these apps may help to identify future threats, but are often updated in a reactive, not proactive, manner.

    Justin Case of Android Police believed that placing a dummy file at /system/bin/profile on devices with a version of Android below 2.2.2 would prevent DroidDream from being able to remotely download more code onto your device after infection. XDA member Rodderik has developed a flashable ZIP that creates does this.

    [update] Google will be pushing an app to user devices called "Android Market Security Tool 2011" to patch the root exploit.

    What will Google do to prevent further malware and infections in the future?
    [update] Google has posted an official response to the DroidDream infection, including steps taken and an official method to patch the exploit without carrier or manufacturer intervention. The post is here.

    In my opinion, because the vulnerability has already been patched in Android 2.2.2, it would likely need to ensure that Android updates are distributed to end users in a more deliberate and controlled manner.

    As for malicious apps on the Market, Google will need to put in additional safeguards and checks to prevent this kind of malware getting into the Market in the first place.

    Where can I go to read more about DroidDream?
    DroidDream is being discussed on many forums, but discussion is patchy and scattered. New information as it develops will be posted on many Android news sites. Here's a list of resources I've used to collect this information so far.

    Android Central - Google pulls Market apps with root exploit
    Android Police - The Mother Of All Android Malware Has Arrived
    Android Police - Malware Monster: DroidDream Is An Android Nightmare
    Lookout Blog - Security Alert: DroidDream Malware Found in Official Android Market
    [added] Google Mobile Blog - An Update on Android Market Security


    [Post Last Updated: March 6th, 2011 @ 9:15AM CST]
    ----------

    Original post is as follows:

    Has anyone started collecting information about DroidDream, or is there a central point of discussion about the ramifications of DroidDream on the Market and Android itself? I'm sure there are many Android users, both potential and current, who are beginning to hear about this malware and have questions and concerns (myself included).

    If no one else has, I'd love to start gathering data and posts, because it seems what information and discussion exists is scattered and patchy.
    Baconator likes this.
    03-03-2011 12:26 AM
  2. dtreo's Avatar
    No doubt. After all of the news yesterday (it was the #2 tech story on Google News, CNN, PC Magazine, etc), I still haven't heard much instruction on what you should do if you downloaded one of the apps like I had with Chess. I never opened the game and after reading the news yesterday immediately uninstalled it, followed by a factory reset. But, what now? I'm not going to hack up my phone like the guys on XDA are doing.

    I called Sprint and told a manager about it. He was going to read the news and check it out, then call me today. I want the phone replaced, as suggested in the original news yesterday. I don't like the idea of walking around with a phone that is apparently open to malicious data use without any obvious sign to the user.

    Anyone with some constructive thoughts on what to do now?
    03-03-2011 08:34 AM
  3. ls377's Avatar
    What phone do you have? Most of the methods to fully reset are not "hacking up" your phone. They're the same methods the carrier/manufacturer use to reset your phone.
    03-03-2011 08:48 AM
  4. dtreo's Avatar
    What phone do you have? Most of the methods to fully reset are not "hacking up" your phone. They're the same methods the carrier/manufacturer use to reset your phone.
    EVO.

    As I said, I uninstalled the Chess app, then did a factory reset as was suggested in the stories yesterday. My point is that it also was noted that this likely does not removed the malicious code that was backdoored in by the first download. This was noted by AndroidPolice and other reports.

    What now after the reset? It doesn't sound safe to use the phone. There are some other rooting methods being discussed on XDA, but I'm not going that route as I'm sure many others agree.
    03-03-2011 09:08 AM
  5. ls377's Avatar
    The full reset doesn't involve rooting. Check out this thread.

    The RUU is a utility straight from HTC, so there shouldn't be anything to worry about. If you can get Sprint to fix it for you, go with that, but if not, this is your best option.
    dtreo likes this.
    03-03-2011 09:31 AM
  6. Xopher's Avatar
    Lookout has been updated to search for DroidDream. Maybe not an answer-all for those who aren't rooted, but at least there is an app to check for it.
    03-03-2011 10:09 AM
  7. timkedojeh's Avatar
    Lookout has been updated to search for DroidDream. Maybe not an answer-all for those who aren't rooted, but at least there is an app to check for it.
    The problem with Lookout and other antivirus solutions on Android is that they only detect if a malicious app is installed on the phone; I'm not sure that they can remove the backdoor that these apps left behind, nor will they unroot the device.


    I'm going to start updating the first post in this thread with some information regarding DroidDream and what to do if you've been infected. Stay tuned.
    dtreo likes this.
    03-03-2011 11:47 AM
  8. dtreo's Avatar
    They were awesome and agreed to replace my phone. That's why I remain a loyal customer for so many years.
    03-03-2011 01:07 PM
  9. timkedojeh's Avatar
    I've added information regarding Google's official response to the DroidDream outbreak. Looks like they're now using their remote-kill functionality to remove the malicious apps, and will be deploying a Market Security Tool to affected devices to patch (and possibly reverse) the root exploit.

    In case you missed it in the most (or on the front page of AC), here it is.
    03-06-2011 09:21 AM

Tags for this Thread

LINK TO POST COPIED TO CLIPBOARD