DroidDream¶
The first malware to successfully infiltrate the official Android Market. Discovered in March 2011 after a Reddit user (Lompolo) noticed repackaged apps from suspicious developer accounts, DroidDream used root exploits to gain full device control and operated during nighttime hours to avoid detection. The incident forced Google to implement its first remote app removal ("kill switch") and directly led to the creation of Google Bouncer.
Overview¶
| Property | Value |
|---|---|
| First Seen | March 2011 |
| Type | Root exploit botnet / Spyware |
| Attribution | Three developer accounts: Myournet, Kingmall2010, we20090202 |
| Aliases | Android.Rootcager (Symantec), ANDROIDOS_LOTOOR (Trend Micro) |
Distribution¶
Uploaded directly to the official Android Market as repackaged versions of legitimate apps. Over 50 infected apps were identified across three developer accounts. Estimated 50,000-200,000 downloads within four days before removal.
Capabilities¶
| Capability | Implementation |
|---|---|
| Root exploits | exploid (CVE-2009-1185) and rageagainstthecage (CVE-2010-EASY) |
| Timing evasion | Operated between 11 PM and 8 AM local time |
| Data exfiltration | IMEI, IMSI, device model, SDK version, language, country |
| Silent installs | Downloaded and installed additional apps after rooting |
| C2 commands | Install apps, open URLs, add bookmarks, send/intercept SMS |
Permissions¶
| Permission | Purpose |
|---|---|
| INTERNET | C2 communication and payload download |
| READ_PHONE_STATE | IMEI/IMSI harvesting |
| RECEIVE_BOOT_COMPLETED | Persistence after reboot |
Impact¶
DroidDream fundamentally changed Android security:
- First use of Google's remote app removal capability
- Google released the "Android Market Security Tool" to clean infected devices
- Directly led to creation of Google Bouncer (later Google Play Protect), the first automated malware scanning system for the Android Market
Evolution¶
DroidDream Light appeared in May/June 2011 as a simplified variant that did not require root exploits. The success of DroidDream's Market infiltration demonstrated that the official app store was not a reliable trust barrier, a lesson that remains relevant through modern dropper campaigns.