Google has begun removing the “Droid Dream” malware from devices running Android versions earlier than 2.2.2, also known as “Froyo.”
About 260,000 owners of Android devices downloaded the malware, Google spokesperson Randall Sarafa told LinuxInsider.
However, that doesn’t mean they’ve all been impacted.
“Remember, that figure only refers to the number of people who downloaded the malware app,” Sarafa pointed out. “In order for the malware to be activated, people have to run the app, and we’re not sure how many did so.”
More than 50 apps carrying the “Droid Dream” malware had been uploaded to Google’s Android Market as of last week. Some of them were pirated versions of legitimate Android apps.
Google removed them within minutes of becoming aware of the apps, Android Security Lead Rich Cannings said in a blog post late Saturday, though Google reportedly did not respond to a developer who had been attempting to alert it to the problem for more than a week.
The malware is being removed from victims’ devices now, and Google is implementing security measures to prevent other malicious applications using similar exploits from being distributed through the Android Market.
Sweet Dreams Aren’t Made of This
The Droid Dream attack represented one of the first noteworthy examples of malicious apps being distributed through Google’s Android Market. Malicious Android apps had previously been posted on third-party sites, many of them carrying pirated Android applications.
Droid Dream works in two phases, according to Lookout Mobile Security.
First, it infects a device by breaking out of Android’s sandbox using two known exploits. These are known as “exploid” and “rageagainstthecage.”
The first stage must be activated by the user launching the malware, and this is why it’s not clear just how many people’s devices actually have been infected — as Google’s Sarafa pointed out, not everyone who downloaded an app containing Droid Dream may have launched it.
Once Droid Dream breaks out of Android’s sandbox, it installs a second application on the victim’s device as a system app. Doing so prevents the user from seeing or uninstalling the second application, DownloadProviderManager.apk, without special permission.
Taking Down the Nightmare
Google has begun remotely deleting apps containing Droid Dream from victims’ devices.
In Saturday’s blog post, Google said that within 72 hours, it will send victims an email and a notification that “Android Market Security Tool March 2011” has been installed. It may also notify victims that an application has been removed.
Why 72 hours? That will give the Droid Dream malware until Tuesday night to perform its dirty deeds.
Google’s Sarafa declined to comment on this.
“I’m not sure what took Google so long,” Randy Abrams, director of technical education at ESET, told LinuxInsider. “This gives the malware plenty of time to steal lots of information.”
Perhaps Google has good reason to move cautiously.
“The remote kill switch implies tracking capabilities, and that brings up many privacy concerns,” Dave Marcus, director of security research at McAfee Labs, told LinuxInsider.
Google’s used the remote kill switch before. In June of 2010, it took down two free apps posted on the Android Market by a security researcher.
Cleaning Up Droid Dream’s Horse Apples
Will the remote kill switch clean the dirty code out of victims’ devices completely, or is there a chance that something will be left to plague them again later?
“Theoretically, the kill switch cleans out the malware,” ESET’s Abrams said. “However, it cannot undo other actions the malware might have performed, such as exploiting root access and downloading additional components.”
However, McAfee’s Marcus thinks Google may be able to carry the day. For one thing, Droid Dream looks like a Trojan, so if the Android device hasn’t been rooted, removing the malware will have cleaned up the device. For another, Google may put out different patches or two different kill switches to deal with the malware and its aftermath, Marcus suggested.
Being Safe Means Never Having to Say You’re Sorry
Several security vendors have predicted that hackers would begin targeting mobile devices in 2011.
“Google doesn’t do any meaningful checks of content,” ESET’s Abrams pointed out. “Additionally, developers who rely upon advertising modules often have no clue what’s in their programs. Trojans can be introduced by unscrupulous advertisers or compromised developers,” he stated.
“We currently don’t have an approval process for apps submitted to the Android Market,” Google’s Sarafa admitted. But, he said, the company’s “implementing measures to help prevent similar apps from being uploaded to the market.” However, he declined to discuss details.
Google could initiate some strong code review, Q&A assembly and chain procedures, McAfee’s Marcus remarked. Further, it could engage in predictive modeling to map out possible lines of attack and prevent them, he added.