Google Removes ‘DroidDream’ Malware From Android Devices

Use Netsparker


Android must be getting popular! It’s always a test of a new platform or OS, when does it start getting serious malware targeting it?

It seems like the time for Android is now, the news lately has been buzzing about the DroidDream malware that has been flooding the Android Market. Google pulled a number of malicious apps (rumoured to be more than 50) on March the 1st but kept hush – they later blogged about it on March 5th outlining some details about the malware and the vulnerability involved.

An Update on Android Market Security

Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.


Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from android-market-support@google.com, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011” installed which combats the malware.

Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.

Source: The Register

Posted in: Exploits/Vulnerabilities, Linux Hacking, Malware

, , ,


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


Comments are closed.