My Bitdefender
  • 0 Shopping Cart

Bitdefender Blog

(Almost) everything you wanted to know about Android malware but were (too) afraid to ask

by Catalin Cosoi, on 20 June 2011

A short recap of the modern history of Android apps' trials and tribulations.

Early 2010: "Droid09" goes phishing. The phisher publishes in the Android App store an application designed to work as an online banking client, but which actually snatches customers’ usernames and passwords. More info here

March 2010: Mariposa flies Android. Android phones “boasting” the Mariposa botnet hit the market, becoming a hazard to any computer that might get connected to these devices. More info here.

July 2010 – “I’ll see your Tap Snake game and raise you one GPS spy eye!”. Once installed,AndroidgameTap Snake, runs in the background forever, restarts automatically upon phone reboot and every 15 minutes it secretly reports the GPS location of the phone to a server. More info here.

August 2010 – Rogue codec in for premium number text messaging. Fake player locatedon a third-party site actually sends text messages to premium services, running up stiff bills on behalf of its victims. More info here.

November 2010 – Playing hide and seek with Angry birds permissions.An Interesting experimentgoes to prove game security exploit: permission hiding. Researchers Jon Oberheide and Zach Lanier created a fake Angry Birds app which, instead of allowing players access to extra game levels, install programs that could steal contact info and send text messages to premium rate numbers. More info here

December 2010 - January 2011 – Geronimo? No! GEINIMI! Though dubbed "the most sophisticated Android malware so far”, Geinimi sees its empire limited to the Chinese Android app markets for the moment. The Geinimi infected applications allow collecting user information such as location coordinates as well as the phone’s unique International Mobile Equipment Identity (IMEI) and the International Mobile Subscriber Identity (IMSI) identifiers. More info here.  

February 2011 – Up the Trojan ADRD ladder. Trojan ADRDis included in several repackaged applications designed to increase the ranking of different websites and made available by a Chinese third-party provider. ADRD apparently contacts a remote host
and sends the phone's info — the International Mobile Equipment Identity (IMEI) and the International Mobile Subscriber Identity (IMSI). More info here.

February 2011 – Can you spell Trojan PJAPPS? Similar in point of functionality to its predecessor, ADRD, PJAPPS also sends SMS to premium rate numbers. More info here.  

March 1st, 2011- Spring cleanup for Malicious apps. Google acknowledges the removal of an unspecified number of malicious applications from the Android Market and its attempt to remove the apps from end users’ devices as well. More info here.

March 2nd, 2011 - DroidDreamnightmare. DroidDream-infected apps – counting approximately 50,000 downloads - use exploit code to take administrative control over the infected phones and steal sensitive data. More info here .

Android applications interact with each other through the Android API. This means that an application can perform a limited set of operations involving other apps installed on the phone. A malicious application will be able to request and obtain sensitive data from the other applications, but it will not be able to modify their code or infect them, unless it has root capabilities (i.e. administrative control). This is why DroidDream was so special: because it exploited some vulnerabilities, it was able to obtain root level access, and, therefore, actually take control over the phone and over its applications.

March 10, 2011 - Fake Android security tool. Within days as of the official launch of the  Android Market Security Tool  (designed to remove and prevent the installation of all DroidDream-laden applications) the tool’s evil twin appears on alternative Chinese application markets. The Trojanized tool can, among other things, send MMS messages in the background when the device boots up. More info here.

April 2011 - Walk and Text lookalike plays scolding game.
Different from the real app, designed to keep users safe from accidents while they’re texting, the Walk and Tex wannabe actually sends an embarrassing SMS to everyone in the phone contact list: "Hey,just downlaoded a pirated App off the Internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck.Don't steal like I did!". The fake app also sends the user's name, phone number and other information to a remote server. More info here.

May 2011 – DroidDream slims down. 26 applications are found to be infected with a lighter version of DroidDream.  According to estimates, up to 120,000 users may be affected. More info here.

June 2011 – A school of Plankton. At least 10 applications disguised as Angry Birds cheats or an add-on are removed from the Android Market. Several of those apps carried a spyware program called Plankton, which connects to a remote server and uploads phone information like the IMEI number, browser bookmarks and browsing history. More info here.

June 15,  2011 - jSMSHider goes after custom(ers). The Trojanaffects phones running custom-built versions of Android released by third-party groups. Among this piece of malware’s capabilities: reading, sending and processing incoming SMS messages, communication with a remote server, opening a URL silently in the background. More info here.  

We can all agree that phishing on mobile platforms was there since day one of our history. As for malware, judging by the current trend, given that the Android app market is not moderated and since users will install various apps without paying too much attention to the required permission list, it would only be fair to say that things WILL get worse and that the (motion&mobile) picture will get scarier (pun intended).


Almost all menaces above are designed to steal confidential data, such as contacts, e-mail addresses, text messages and GPS location, which can be found on most Android smart phones. If you do not wish to lose such data, we strongly advise you to use a security solution for mobile devices, such as BitDefender Mobile Security .


All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

Catalin Cosoi

Chief Security Researcher

On Jun.20.2011 09:38

Raul said

Great article

On Jun.20.2011 09:52

Catalin said

thank you :).

Daily "Did you know?"

On July 31, 2008, the Koobface computer worm started to target users of Facebook and MySpace; and new variants still constantly appear.


  • Bitdefender Security Specialists
    Bitdefender Labs
  • Catalin Cosoi
    Chief Security Researcher
  • Dan Lowe
    Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.
  • Ligia Adam
    Security Evangelist and Social Media Professional
  • Loredana Botezatu
    Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.