DroidDream is the common name for a new type of malware that has been found in the wild that affects devices running Android. This is also the first report of malware found in apps that are in Google's Android Market. This discussion thread is meant to collect and organize information regarding DroidDream, and to inform users on potential methods of cleaning and protecting themselves from this infection.
None of the information that follows is official; it is mostly compiled from user discussion and speculation. I take no responsibility for any damage or data loss that results from following instructions or applying fixes that are posted; perform these fixes yourself at your own risk, and take your device back to the store for help if you feel uncomfortable.
[update] This post has been updated to include Google's official response.
What is DroidDream?
DroidDream is a malicious trojan that has been found in Android apps. These apps are usually counterfeits of popular apps on the Android Market, and were (prior to Google's intervention) available on the Market itself.
So far, three developers have been identified as releasing apps containing DroidDream: "Kingmall2010", "we20090202", and "Myournet". These developers and their apps have been suspended from the Android Market, but there are conflicting reports of whether or not Google has removed the apps from user devices.
What does DroidDream do?
DroidDream, when run, uses an common exploit to root the user's device without their knowledge, allowing the app superuser rights to the device. Once it has done this, it can access any data stored on the device.
The malware has been found to send the IMEI and IMSI code from the device and transmit it to a third-party, remote server. The malware has also been discovered to contain a backdoor that allows for additional code and instructions to be uploaded to the device afterwards, even after the original app has been deleted.
Who is at risk of infection from DroidDream?
Potentially, anyone running an Android device could be infected by DroidDream. However, Google released a patch to Android in version 2.2.2 that removes the ability for the root exploit to run, thus preventing the malware from working. Therefore, users running Android 2.2.2, 2.3, 2.4, and 3.0 should not be affected by DroidDream. However, if you have downloaded one of the malicious apps, it is still recommended that you remove the malware from your device.
How do I remove DroidDream from my device?
Because DroidDream leaves a backdoor on the user's device, simply deleting the malicious app is not believed to clean the infection or prevent future problems. Also, because DroidDream has superuser rights on the phone, the infection could survive a wipe using a custom recovery. Only a complete factory reset to stock using a manufacturer-provided image or utility is currently considered satisfactory to remove all traces of DroidDream.
[update] Google is now in the process of removing malicious applications from user devices using their remote kill-switch capability. It has still not been indicated that this will fully clean the malware from the device, however.
How do I perform a factory reset on my device?
Manufacturer-provided images and utilities to reset your device to stock can be found in the device-specific forums. Most device-specific forums have a stickied thread indicating how to return to stock; look for a RUU, ODIN, or .sbf file in these threads and follow the instructions. I will post device-specific instructions as I find them.
If you cannot find a manufacturer-provided image or utility for your device, or if you feel uncomfortable performing a factory reset on your device yourself, your best course of action is to take the device to a carrier corporate store or original point of sale, or to contact the manufacturer of your device for additional assistance.
How can I prevent DroidDream from infecting me in the future?
As of now, Google has pulled what apps on the Market that are known to contain DroidDream. However, there still could be more apps yet undiscovered on the Market that are infected.
Lookout and several other antivirus vendors have indicated that their products can scan for and identify apps containing DroidDream. Installing one of these apps may help to identify future threats, but are often updated in a reactive, not proactive, manner.
Justin Case of Android Police believed that placing a dummy file at /system/bin/profile on devices with a version of Android below 2.2.2 would prevent DroidDream from being able to remotely download more code onto your device after infection. XDA member Rodderik has developed a flashable ZIP that creates does this.
[update] Google will be pushing an app to user devices called "Android Market Security Tool 2011" to patch the root exploit.
What will Google do to prevent further malware and infections in the future?
[update] Google has posted an official response to the DroidDream infection, including steps taken and an official method to patch the exploit without carrier or manufacturer intervention. The post is here.
In my opinion, because the vulnerability has already been patched in Android 2.2.2, it would likely need to ensure that Android updates are distributed to end users in a more deliberate and controlled manner.
As for malicious apps on the Market, Google will need to put in additional safeguards and checks to prevent this kind of malware getting into the Market in the first place.
Where can I go to read more about DroidDream?
DroidDream is being discussed on many forums, but discussion is patchy and scattered. New information as it develops will be posted on many Android news sites. Here's a list of resources I've used to collect this information so far.
Android Central - Google pulls Market apps with root exploit
Android Police - The Mother Of All Android Malware Has Arrived
Android Police - Malware Monster: DroidDream Is An Android Nightmare
Lookout Blog - Security Alert: DroidDream Malware Found in Official Android Market
[added] Google Mobile Blog - An Update on Android Market Security
[Post Last Updated: March 6th, 2011 @ 9:15AM CST]
----------
Original post is as follows:
None of the information that follows is official; it is mostly compiled from user discussion and speculation. I take no responsibility for any damage or data loss that results from following instructions or applying fixes that are posted; perform these fixes yourself at your own risk, and take your device back to the store for help if you feel uncomfortable.
[update] This post has been updated to include Google's official response.
What is DroidDream?
DroidDream is a malicious trojan that has been found in Android apps. These apps are usually counterfeits of popular apps on the Android Market, and were (prior to Google's intervention) available on the Market itself.
So far, three developers have been identified as releasing apps containing DroidDream: "Kingmall2010", "we20090202", and "Myournet". These developers and their apps have been suspended from the Android Market, but there are conflicting reports of whether or not Google has removed the apps from user devices.
What does DroidDream do?
DroidDream, when run, uses an common exploit to root the user's device without their knowledge, allowing the app superuser rights to the device. Once it has done this, it can access any data stored on the device.
The malware has been found to send the IMEI and IMSI code from the device and transmit it to a third-party, remote server. The malware has also been discovered to contain a backdoor that allows for additional code and instructions to be uploaded to the device afterwards, even after the original app has been deleted.
Who is at risk of infection from DroidDream?
Potentially, anyone running an Android device could be infected by DroidDream. However, Google released a patch to Android in version 2.2.2 that removes the ability for the root exploit to run, thus preventing the malware from working. Therefore, users running Android 2.2.2, 2.3, 2.4, and 3.0 should not be affected by DroidDream. However, if you have downloaded one of the malicious apps, it is still recommended that you remove the malware from your device.
How do I remove DroidDream from my device?
Because DroidDream leaves a backdoor on the user's device, simply deleting the malicious app is not believed to clean the infection or prevent future problems. Also, because DroidDream has superuser rights on the phone, the infection could survive a wipe using a custom recovery. Only a complete factory reset to stock using a manufacturer-provided image or utility is currently considered satisfactory to remove all traces of DroidDream.
[update] Google is now in the process of removing malicious applications from user devices using their remote kill-switch capability. It has still not been indicated that this will fully clean the malware from the device, however.
How do I perform a factory reset on my device?
Manufacturer-provided images and utilities to reset your device to stock can be found in the device-specific forums. Most device-specific forums have a stickied thread indicating how to return to stock; look for a RUU, ODIN, or .sbf file in these threads and follow the instructions. I will post device-specific instructions as I find them.
If you cannot find a manufacturer-provided image or utility for your device, or if you feel uncomfortable performing a factory reset on your device yourself, your best course of action is to take the device to a carrier corporate store or original point of sale, or to contact the manufacturer of your device for additional assistance.
How can I prevent DroidDream from infecting me in the future?
As of now, Google has pulled what apps on the Market that are known to contain DroidDream. However, there still could be more apps yet undiscovered on the Market that are infected.
Lookout and several other antivirus vendors have indicated that their products can scan for and identify apps containing DroidDream. Installing one of these apps may help to identify future threats, but are often updated in a reactive, not proactive, manner.
Justin Case of Android Police believed that placing a dummy file at /system/bin/profile on devices with a version of Android below 2.2.2 would prevent DroidDream from being able to remotely download more code onto your device after infection. XDA member Rodderik has developed a flashable ZIP that creates does this.
[update] Google will be pushing an app to user devices called "Android Market Security Tool 2011" to patch the root exploit.
What will Google do to prevent further malware and infections in the future?
[update] Google has posted an official response to the DroidDream infection, including steps taken and an official method to patch the exploit without carrier or manufacturer intervention. The post is here.
In my opinion, because the vulnerability has already been patched in Android 2.2.2, it would likely need to ensure that Android updates are distributed to end users in a more deliberate and controlled manner.
As for malicious apps on the Market, Google will need to put in additional safeguards and checks to prevent this kind of malware getting into the Market in the first place.
Where can I go to read more about DroidDream?
DroidDream is being discussed on many forums, but discussion is patchy and scattered. New information as it develops will be posted on many Android news sites. Here's a list of resources I've used to collect this information so far.
Android Central - Google pulls Market apps with root exploit
Android Police - The Mother Of All Android Malware Has Arrived
Android Police - Malware Monster: DroidDream Is An Android Nightmare
Lookout Blog - Security Alert: DroidDream Malware Found in Official Android Market
[added] Google Mobile Blog - An Update on Android Market Security
[Post Last Updated: March 6th, 2011 @ 9:15AM CST]
----------
Original post is as follows:
Last edited:
Facebook
Twitter
Instagram