Skip Links

Google still scrambling to recover from DroidDream Android attack

Google, Android manufacturers scurry to address corporate security concerns

By , Network World
March 09, 2011 01:23 PM ET

Network World - Last week's revelation that over 50 apps in the Google Android market were malware-laden has shaken up Google and the security industry to its core.

Background: Google Android's infected apps spotlight mobile danger

The malware-based apps, dubbed DroidDream, have been removed by Google, which says it's "adding a number of measures to help prevent malicious applications using similar exploits from being distributed through Android Market," though declining to detail yet what those may be.

But the biggest quandary from the DroidDream episode may be why any Android devices (Google says Android 2.2.2 and later versions would not be affected because the hole was closed) were vulnerable to the DroidDream attack in the first place since Google had issued patches for those exploits by last November.

One underlying problem is that the Android-device manufacturers and carriers that work in tandem to distribute Android-based updates had not uniformly issued patches to their customers for the DroidDream exploit.

While declining to name specific Android device manufacturers and carriers, Google speaking on background, acknowledges not all Android devices have been patched. While Google usually takes a hands-off approach after issuing open-source code changes to the Android code base, expecting the manufacturers to integrate them into their own customized Android builds, Google leapt into action following the DroidDream revelations, working directly with manufacturers and carriers to blast out over-the-air updates. The goal is to make sure the underlying security flaws exploited by DroidDream that may still be present in Android devices are addressed.

Google has also directly sent out an auto-uninstall tool it calls "Android Market Security Tool March 2011" to infected Android devices to uninstall the malicious Android apps that were downloaded from Google Market.

Security vendors this week are closely watching this DroidDream episode play out.

"The exploits for this malware have been fixed for months," says Kevin Mahaffey, CTO at Lookout Mobile Security, talking about what's known as "Exploit" and "rageagainstthecage" used in the DroidDream malware-laden apps that made it into the Google Market. But that doesn't mean that Google's fixes from months ago made it out to the consumer. What the industry is learning, Mahaffey says, is "it's a lot more complicated to patch a phone than a PC."

Anti-malware firm Kaspersky Lab today called Google's handling of the Android malware "debatable." The security vendor says its examination of the so-called "Android Market Security Tool March 2011" that Google has pushed out to Android devices infected with DroidDream is a "questionable approach."

The Google app uninstaller remotely installs on the affected device, and then "launches itself, obtains root privileges, uninstalls the malicious apps and then deletes itself — without ever asking any user authorization," Kaspersky says in its analysis. "This approach has a number of similarities to the practices employed by malware authors." In addition, Kaspersky criticized Google "for dealing with symptoms while leaving the cause untreated." According to Kaspersky's analysis, "the update doesn't actually close the exploited hole in the Android debugging bridge."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News