Droid Dream Malware Latest Sign Android Attacks Are on the Rise

For a while now, the threat of mobile malware has been shifting from the realm of theoretical to the actual. However, the latest attack, known as “Droid Dream,” managed to take it a step further and resulted in infected apps making their way into Google’s official Android Market.

The attack, which cropped up Tuesday evening, was attached to multiple applications posted to both the Google-run store and various third-party app markets.

Although Google managed to expunge the 50 or so affected apps within minutes of learning of their presence in the store, the fact they made it that far indicates the game is changing. In the latest attack, the malicious code was attached to legitimate applications, but also was collecting identifying data from the phone and sending that information to a remote server.

Experts have warned for a while now that as smartphones gain traction, there will be an increasing number of attacks. Anti-virus firm Symantec says that threats have been increasing significantly in recent months after being quite rare, often limited to more proof-of-concept type exploits.

Not only are today’s smartphones the equivalent of a desktop computer, each one has a connection to not only personal information and the Internet, but also to a carrier billing system–putting would-be attackers one step closer to where the money is.

“For first time in history, a malicious attacker can send a packet of data and money goes flying,” said John Hering, CEO of phone security software maker Lookout Mobile Security. “Think about that.”

Already there have been attacks that cause an infected phone to send a premium text message, generating instant revenue for the attackers. Those attacks, against both Symbian and Android, have been confined largely to Europe and Asia–areas where premium SMS is more common and where carriers are sometimes less vigilant about monitoring traffic, Hering said. An attack in December, centered in China, took a significant amount of data from Android phones and sent it to remote servers.

That the phone has been seen as less vulnerable than the PC is largely an artifact of the fact that the devices have only recently gained powerful operating systems and fast Web connections.

“It’s not like phones are inherently safer than computers,” Hering said. “It’s just been more attractive in the past to attack computers.”

In general, Android malware has been attached to applications–often to legitimate applications–and posted to various third-party stores, rather than to the Google-run Android market. Indeed, sticking to the official stores has been one of two major recommendations from security experts (the other is to pay careful attention to what permissions an app is requesting).

Keeping up to date on a phone’s operating system can also help. Droid Dream, for example, exploited a security flaw that was closed with the Gingerbread release of Android. However, unlike on the PC side, users don’t always get to choose which updates they install, as carriers and device makers often get a say in which apps are provided to customers.

The Android attack is also sure to raise the question of whether an open platform is less secure than a more closed one and also whether it is better to have a curated market or one that is community-managed. Hering said it is not fair to say that Droid Dream suggests Android is more vulnerable, noting that both open and closed systems have their benefits. Open-source code does mean everyone can look at things, but it also gives the community a chance to report flaws before the bad guys do.

Naturally, there is also a market that has emerged for security software that can be installed on a device. Lookout and Symantec both offer phone products, and Hering said that Lookout’s software was updated within hours to protect against infected applications from both official and non-official sources.

Given how quickly Google removed the infected apps, it still makes sense for the cautious to stick to the Android market. However, it is clearly not a failsafe.

The other big recommendation is to not just blindly click OK to all those warnings that pop up when installing an app. On Android and many other platforms, users have to explicitly give an application permission to do certain things, such as access location data or make phone calls.

“If someone is downloading a scientific calculator and it wants to send text messages, it should raise some eyebrows,” said Vikram Thakur, a principal security response manager at Symantec.