Lookout Labs has been continually evaluating the DroidDream situation over the last few days. As you may recall, DroidDream is malware code that has found its way into over 50 apps in the Android market. We got an email from Lookout letting us know that they updated their blog last night with some new details about how it works.
· DroidDream send the IMEI, IMSI, Device model and SDK version to a remote command and control server
· To infect the device, DroidDream uses two known exploits, exploidand rageagainstthecage,to break out of the Android security container. Both of the vulnerabilities being exploited were patched by Android 2.3 (Gingerbread).
· Similar to previous instances of Android malware that have been found on alternative Android app markets, the authors of DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware—a growing trend in mobile threats.
· Once the phone is rooted, DroidDream is configured to searched for a specific package named com.android.providers.downloadsmanager. If the malware does not find this package on the device, it will silently install a second malicious application without the user’s knowledge.
Lookout is still investigating the situation, particularly with regard to who the expected target was. Play it safe, and download Lookout Mobile Security, and hit the source link to check out the rest of their findings at their blog.
[via Lookout Blog - Thanks Alicia for the heads-up!!]