According to Irfan Asrar, this latest Android malware – Android.Lightdd – has been promulgated by several Google publisher accounts, although these all appear to have been disabled, he reports.
"The key point to note is that even though the news of the return of 'DroidDream' has created a bit of a stir with approximate high download rates being quoted – due to the fact that the threat was available through official channels – unlike its predecessor, this threat does not carry out any system level exploits and does not require the infected user to carry out any complex steps to restore the device back to the pre-infection state", he says in his latest security blog.
Lightdd, he adds, follows a formulaic pattern – in addition to containing the malicious code base, which runs as a service called 'CoreService', the repackaged app also contains a configuration file 'prefar.dat'.
The contents of this dat file, he notes, include three URLs, which the threat uses to establish the malicious host to contact, although all three IP hosts are now offline.
As with the DroidDream infections seen in March, Infosecurity notes, Asrar reports that the transferable data includes complete details of the users' smartphone, right down to the IMSI and IMEI numbers.
This allows – in theory at least – the credentials to be 'tumbled' to make fraudulent cellular phone calls.
"At its core, Android.Lightdd is a downloader Trojan, but with certain caveats. The threat is subject to the Android security model, therefore any download attempts will not work, as long as the user does not consent to the installation of the suggested app", he says.
Interestingly, the Symantec researcher notes that all the darkware Android apps seen to date have contained pretty much the same code, making them all downloaders.
"But what is the point of that? Information harvesting, followed by the downloading of additional downloader, doesn't really add up. Or was it to download additional threats with more advanced features later on?" he asks.
Infosecurity notes that Asrar seems to have missed the point that, by generating the IMSI/IMEI pairs – and using a little subterfuge – it becomes possible to make cellular calls as if the original handset were being used, so allowing simple call resale fraud to take place.