Security researchers from Trend Micro have identified a new variant of the DroidDreamLight trojan posing as an APK management app in Google's official Android Market.
The trojanized app is called App Installer and had been downloaded 50 to 100 times before being removed by Google's staff.
Upon installation, the app registers a service called AppUseService which is started every time a phone call is initiated or received.
The app sends device identification data such as model, IMEI, IMSI, language and country to a command and control server. A list of installed apps together with their version is also uploaded.
This variant uses another name for the encrypted configuration file, however, the DES encryption key is the same as in previous versions.
Because the trojan doesn't use a root exploit to deploy its components, the Trend Micro researchers believe that it employs social engineering to trick users into installing them.
"Based on its code, the malware is capable of showing download/update notifications. That way, all it has to do is use the name of an app from the list retrieved and to display the notification with a malicious link from the server
," they explain
Users can verify if they are infected by going to Settings > Applications > Running Services and checking if AppUseService exists. The malicious application is easy to remove by going to Settings > Applications > Manage Applications and uninstalling the "App Installer" app.
The number of Android trojans has spiked this year and according to some reports it is two and a half more likely now for Android users to encounter malware than it was six months ago. People are advised to install an antivirus solution on their devices. There are several free products available from vendors such as Lookout, AVG, BitDefender or Symantec.