Skip Links

Google Android's infected apps spotlight mobile danger

Malware-infected Google Android apps spark community response

By , Network World
March 02, 2011 04:51 PM ET

Network World - The Google Android Market for apps is supposed to be an apps showplace, but the fact that Google this week yanked down about 50 Android apps it found out were malicious came as something of a jolt to many in the security industry.

Background: Google yanks 21 malicious Apps from Android market

"We believe they all had the same malware," said Kevin Mahaffey, CTO at Lookout Mobile Security, which has taken to calling it the DroidDream infection. The apps were released under the Google-registered developer names "Kingmall2010," "we20090202," and "Myournet," which Lookout Mobile suspects are all the same person or group. At least one of the malicious apps is based on stolen software that was trojanized and submitted to Google.

The 50 or so include English, Japanese and Chinese language infected apps that were published under the names "Magic Strobe Light" to "Advanced File Manager" to "Magic Hypnotic Spiral" to "Screaming Sexy Japanese Girls." All were free. Earlier reports said Google Android marketplace had taken down 21 of them, but it's now believed they have all been removed.

This episode of large numbers of malicious Google apps is believed to have been originally discovered by a user of the popular news aggregation site Reddit who spotted the pirated apps, and another online source, Android Police, also took a close look and flagged it. Mahaffey calls it a "community response" to the malicious Google apps, which he notes has been one of the main forces working as a first responder to trouble.

Lookout Mobile and Symantec, which each have Android security software, are among security vendors that have blacklisted the malicious Google apps pinpointed this week, so anyone using their software that downloaded the DroidDream-injected apps would recognize and eliminate it.

Mahaffey says the DroidDream malware exploit process allows it to "break out of the security sandbox on Android," which he notes "you're not supposed to be able to do that." While investigation into the cache of DroidDream malware and what it can do to many types of Android devices is still continuing, Mahaffey says it appears that the ability of the malware to exploit an Android-based device is dependent on how well it's been patched. Patching is problematic since carriers have a role in patching, and it proceeds at intervals that are not necessarily easily perceived.

The DroidDream malware is far worse than anything that has hit the official Google Android Market to date. "There have been instances of spyware, but nothing this bad," Mahaffey said. Most major malware finds have come from independently-posted Android apps, not on the Google Android Market.

Vikram Thakur, Symantec principle security response manager at Symantec, agrees this episode is unprecedented in terms of Google Android market.

Dave Marcus, director of security research and communications at McAfee Labs, said, "What makes these significant is these apps are in the official Android marketplace, not from a third-party marketplace. Analysis has shown that these apps can break out of the typical sandbox that most apps reside in, to potentially gain control over the entire device and its data. In terms of attacks and malware, it doesn't get any worse than root access, which this malware has." McAfee is preparing a podcast about DroidDream.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News