Android malware activates itself through incoming calls
Lookout Security reports that Google has removed 34 Android apps from its Market that were infected with malicious code. Lookout estimates that the number of potential victims is between 30,000 and 120,000. Some of the malware samples are modified versions of apps that have been available on the Market for quite some time. Without the knowledge of the app developers, criminals added malicious code to the apps and resubmitted the modified versions to the Market. The apps are infected with Droid Dream Light (DDLight), a variant of the DroidDream malware which was injected into more than 50 apps in March 2011.
Unlike the previous variant, the new malware no longer requires users to start the app. DDLight injects itself as a broadcast receiver for incoming calls by registering for the intent android.intent.action.PHONE_STATE. This allows the malicious code to be executed with the next incoming call. According to an analysis by F-Secure, the malware also responds to incoming SMS text messages. The malware then sends device information (model, IMEI, IMSI and SDK version) and information about the device's installed apps to the criminals. Lookout says that DDLight is also capable of installing code on the device, but that this requires the victim to interact.
Infected apps range from system tools to programs that promise photos of scantily clad women. Lookout has posted a list on its blog. According to the current state of investigations, the criminals used the Magic Photo Studio, Mango Studio, E.T. Tean, BeeGo, DroidPlus and GluMobi developer accounts to upload their malware.
Whether the malware can be completely removed from a device by uninstalling the app is not yet clear. Another open question is whether Google has remotely removed the apps from infected devices via the remote removal feature. An inquiry to Google about the company's future plans to protect Android users from malware from the Market has so far not been answered. To remove DroidDream from victims' smartphones, Google installed the "Android Market Security Tool March 2011" without requesting users' permission; the tool had root privileges and first deleted the malware and then itself.
F-Secure reports that another piece of Android malware is spreading, mainly in China. In an SMS text message supposedly sent by the network operators, the criminals promote the malware as an 'update for a security vulnerability'. Once recipients open the link in the message, the AdSMS trojan is installed on their systems. The malware also installs further software and can send, and receive, SMS text messages – potentially to receive further instructions and continue to spread.