Droid Dream Light is Android malware that attempts to download and install additional malicious packages and transmits sensitive user information.
Aliases/Variants
Droid Dream
Virus Name:
Droid Dream Light (Aliases include DroidDream Light and DDLight)
Description
Droid Dream Light (DDLight) is an Android trojan that attempts to download and install additional malicious packages and transmits sensitive user information.
This malicious code is a variant of DroidDream, which was discovered in March 2011. Reports suggest that an estimated 50 applications listed on the Google Android Market were found to be infected with the malicious code. Most of these applications were modified versions of applications already available on the Android Market.
According to the same reports, legitimate applications were modified and then relisted on the Android Market by the attackers. Currently, 30,000 to 120,000 Android users have been reported to be affected after installing applications that contain the trojan.
Malicious application components may become activated by incoming phone calls. After activation, the trojan could then install a malicious service that contacts remote servers and transmits sensitive information from the infected Android device. In addition, the malware could also download and install additional packages. However, the malware is not capable of installing these packages without user interaction.
Google has reportedly removed all the currently infected applications, and they are no longer listed on the Android Market.
Impact
After invocation, the malicious software sends sensitive device information, such as the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI), to a remote, attacker-controlled server. The malicious software could also send information such as the phone model, SDK version, and lists of installed packages to the remote server.
The malware could also cause the infected device to download and install additional packages.
Warning Indicators
Android devices that have installed applications from the following list may be affected:
BeeGoo
Brightness Settings Contact Master Delete Contacts Paint Master Quick Photo Grid Quick Uninstaller Super Photo Enhance Super Color Flashlight Volume Manager
DroidPlus
Quick Cleaner Quick SMS Backup Super App Manager
E.T. Tean
Call End Vibrate
GluMobi
Bubble Buster Free Go FallDown ! Quick History Eraser Scientific Calculator Solitaire Free Super Compass and Leveler TenDrip Tetris
Magic Photo Studio
Beauty BXXXX HOT Girls 1-4 Sex Sound Sex Sound: Japanese Sexy Legs Sexy Girls: Hot Japanese Mango Studio
Floating Image Free Super StopWatch and Timer System Info Manager System Monitor
Technical Information
Droid Dream Light is distributed through modified applications hosted on the Android Market. When a user installs an infected application, the malicious code could be installed on the device. When running, the malicious software may set up a back door, allowing the attacker to install additional packages or retrieve sensitive information from infected devices.
The malicious software could be invoked when the android.intent.action.PHONE_STATE action occurs on an incoming phone call. Immediately after invocation, the malicious software could start a .lightdd.CoreService service on the infected Android phone, allowing the attacker to perform additional actions or monitor ongoing communications on the device.
IntelliShield Analysis
Currently, the applications listed on the Android Market by the following developers are infected: Magic Photo Studio, Mango Studio, E.T. Tean, BeeGoo, DroidPlus, and GluMobi. Applications listed by other developers could also be infected.
In addition to removing malicious applications from the Android Market, Google may later remotely uninstall infected applications from the affected devices if additional malicious applications are discovered.
Safeguards
Users should install applications only from trusted sources.
Users should always check the permissions an application requests.
Users are advised to be alert for unusual behavior on the phone, such as unusual SMS or network activity.
Users are advised to install operating system updates as soon as they are available and install a mobile security application for the phone.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Malicious Code Alert
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
