According to Mark Balanza, the latest version of the DroidDream malware – which caused a stir earlier this year when a mass infection of the Android Market took place – is the malware behind the APK utility.
The malware is actually DroidDream Light - which, as the name implies, is a lite version of the original code, apparently streamlined to allow it to be hidden within a legitimate utility program.
The bad news is the DroidDream Light malware utility was downloaded more than 50,000 times from the Android Market before Google spotted it and removed the code.
The malware sample, says Balanza, was detected as ANDROIDOS_DORDRAE.M and was inside an app called App Installer - “Once executed, the main class of the app starts the malware service called AppUseService”, he says in his latest security posting.
Interestingly, the Trend Micro analyst reports that the malware service will still run even if the app is not executed, suggesting, Infosecurity notes, that malware coders have developed an auto-run option within the download option for Android apps.
Balanza says that the trigger for this event starts starts when an Intent called 'android.intent.action.PHONE_STATE' is triggered – something that happens every time the device makes or receives a call.
As with earlier versions of DroidDream, the light version uploads a wealth of information to a remote server, including the IMEI/IMSI pair and a complete listing of the apps installed on the mobile device.
“Previous DroidDreamLight variants save the encrypted configuration using the file names prefer.dat and game.tol in the Asset folder. The sample we analysed uses the file name small.use and DES encryption with the same decryption/encryption key as before - DDH#X%L - he says, adding that the servers for the remote upload went offline during the security firm's research.
The DroidDreamLight malware does not, he explained, use any exploits so it will need user intervention to install its downloaded components.
“To do this, we think that the malware tries to trick the user into thinking that the app being downloaded or installed is an update for an installed app. Based on its code, the malware is capable of showing download/update notifications. That way, all it has to do is use the name of an app from the list retrieved and to display the notification with a malicious link from the server”, he notes,
The good news is that Balanza reports that users can check if their phones are infected by going to Settings > Applications > Running Services and manually remove any malware by going to Settings > Applications > Manage Applications to uninstall the infected app.