The market store for the Andriod phones has hosted at least 50 different apps that contained malicious software (malware) called DroidDream. The apps loaded with malware ranged from chess apps to photo editing software. At this time the believed methodology of the hackers who performed this activity was to download the official app, inject their malicious code and re-upload the app so unsuspecting users can download the app. This proved to be successful at least 200,000 times over.
Google’s response was to remotely remove the app from the phone, but this necessarily won’t fix the problem as the app has the potential to install other programs on the phone. These other malicious programs have not been mentioned as being removed.
In the event these apps were able to successfully install on a victim’s phone it had the ability to exfiltrate sensitive data from your phone (SDK Version, device model, IMSI, and IMEI) respond to ads and sends SMS to a variety of locations. As of now, analysis conducted by a variety of personnel, to include Google, believe the main developer’s handle is “Myournet”, “Kingmall2010”, and “we20090202”.
The two exploits seen in the malware will attempt to gain root on the victim’s phone and then communicate to the Command & Control (C&C) server and await instructions. The malware is intelligently designed to not re-infect an infected phone and will also check for further instances of malicious programs associated with the DroidDream malware instances.
This type of action taken by the nefarious cyber actors in the world do not come to a surprise to trained security experts because of inherent vulnerabilities associated with the open source nature of the Andriod design and popularity of the phone to name a few reasons. Further analysis on the propagation methods of the DroidDream to identify if the malware can spread from the phone to a computer when connected. If this was the case, then this opens yet another avenue that can be pursued by nefarious actors to gain access to a network.