The Google Android Market for apps is supposed to be an apps showplace, but the fact that Google this week yanked down about 50 Android apps it found out were malicious came as something of a jolt to many in the security industry.
"We believe they all had the same malware," said Kevin Mahaffey, CTO at Lookout Mobile Security, which has taken to calling it the DroidDream infection. The apps were released under the Google-registered developer names "Kingmall2010," "we20090202," and "Myournet," which Lookout Mobile suspects are all the same person or group. At least one of the malicious apps is based on stolen software that was trojanized and submitted to Google.
The 50 or so include English, Japanese and Chinese language infected apps that were published under the names "Magic Strobe Light" to "Advanced File Manager" to "Magic Hypnotic Spiral" to "Screaming Sexy Japanese Girls." All were free. Earlier reports said Google Android marketplace had taken down 21 of them, but it's now believed they have all been removed.
This episode of large numbers of malicious Google apps is believed to have been originally discovered by a user of the popular news aggregation site Reddit who spotted the pirated apps, and another online source, Android Police, also took a close look and flagged it. Mahaffey calls it a "community response" to the malicious Google apps, which he notes has been one of the main forces working as a first responder to trouble.
Lookout Mobile and Symantec, which each have Android security software, are among security vendors that have blacklisted the malicious Google apps pinpointed this week, so anyone using their software that downloaded the DroidDream-injected apps would recognize and eliminate it.
Mahaffey says the DroidDream malware exploit process allows it to "break out of the security sandbox on Android," which he notes "you're not supposed to be able to do that." While investigation into the cache of DroidDream malware and what it can do to many types of Android devices is still continuing, Mahaffey says it appears that the ability of the malware to exploit an Android-based device is dependent on how well it's been patched. Patching is problematic since carriers have a role in patching, and it proceeds at intervals that are not necessarily easily perceived.
The DroidDream malware is far worse than anything that has hit the official Google Android Market to date. "There have been instances of spyware, but nothing this bad," Mahaffey said. Most major malware finds have come from independently-posted Android apps, not on the Google Android Market.
Vikram Thakur, Symantec principle security response manager at Symantec, agrees this episode is unprecedented in terms of Google Android market.
Dave Marcus, director of security research and communications at McAfee Labs, said, "What makes these significant is these apps are in the official Android marketplace, not from a third-party marketplace. Analysis has shown that these apps can break out of the typical sandbox that most apps reside in, to potentially gain control over the entire device and its data. In terms of attacks and malware, it doesn't get any worse than root access, which this malware has." McAfee is preparing a podcast about DroidDream.
While still investigating the malicious Google apps, Thakur said it's clear they are designed to act as a downloader for what could be more malware and are designed to "steal information, such as the properties of the phone, the manufacturer's number, much more." The attacker likely has a financial motive for what they're doing, perhaps to push out premium SMS messages.
Thakur said that while Symantec's Android security software today would recognize the malicious apps not unlike the way it might detect a computer virus traditionally, the goal is to further develop defense so that detection, blocking and eradication is based more on behavior.
"We will reach the stage where we will be between the apps," for behavior-based defense, he says. Since Android is still so very new, a lot of research in the vendor community is ongoing to evolve a security defense.
The slew of malicious Google apps is providing a source of study for that. But what happened this week could occur in the future. Most of the malicious Google Android apps to date have been on third-party Web sites, but this week's episode of the malicious Google Apps on the Android market 'calls into question the vetting process," says Thakur. But he adds no one has control over that except Google.
A Google spokesperson said Google has suspended several developers for violations of its policies but was not going to discuss any statements made by others related to the Android sandbox at this time.