Google Android's infected apps spotlight mobile danger

The Google Android Market for apps is supposed to be an apps showplace, but the fact that Google this week yanked down about 50 Android apps it found out were malicious came as something of a jolt to many in the security industry.

Background: Google yanks 21 malicious Apps from Android market

"We believe they all had the same malware," said Kevin Mahaffey, CTO at Lookout Mobile Security, which has taken to calling it the DroidDream infection. The apps were released under the Google-registered developer names "Kingmall2010," "we20090202," and "Myournet," which Lookout Mobile suspects are all the same person or group. At least one of the malicious apps is based on stolen software that was trojanized and submitted to Google.

The 50 or so include English, Japanese and Chinese language infected apps that were published under the names "Magic Strobe Light" to "Advanced File Manager" to "Magic Hypnotic Spiral" to "Screaming Sexy Japanese Girls." All were free. Earlier reports said Google Android marketplace had taken down 21 of them, but it's now believed they have all been removed.

This episode of large numbers of malicious Google apps is believed to have been originally discovered by a user of the popular news aggregation site Reddit who spotted the pirated apps, and another online source, Android Police, also took a close look and flagged it. Mahaffey calls it a "community response" to the malicious Google apps, which he notes has been one of the main forces working as a first responder to trouble.

Lookout Mobile and Symantec, which each have Android security software, are among security vendors that have blacklisted the malicious Google apps pinpointed this week, so anyone using their software that downloaded the DroidDream-injected apps would recognize and eliminate it.

However, Mahaffey acknowledged that Lookout is still working on a tool to wipe the final traces of the malware in terms of what he says is a "root shell" that it leaves. That tool is expected to be posted online for free soon.

Mahaffey says the DroidDream malware exploit process allows it to "break out of the security sandbox on Android," which he notes "you're not supposed to be able to do that." While investigation into the cache of DroidDream malware and what it can do to many types of Android devices is still continuing, Mahaffey says it appears that the ability of the malware to exploit an Android-based device is dependent on how well it's been patched. Patching is problematic since carriers have a role in patching, and it proceeds at intervals that are not necessarily easily perceived.

The DroidDream malware is far worse than anything that has hit the official Google Android Market to date. "There have been instances of spyware, but nothing this bad," Mahaffey said. Most major malware finds have come from independently-posted Android apps, not on the Google Android Market.

Vikram Thakur, Symantec principle security response manager at Symantec, agrees this episode is unprecedented in terms of Google Android market.

Dave Marcus, director of security research and communications at McAfee Labs, said, "What makes these significant is these apps are in the official Android marketplace, not from a third-party marketplace. Analysis has shown that these apps can break out of the typical sandbox that most apps reside in, to potentially gain control over the entire device and its data. In terms of attacks and malware, it doesn't get any worse than root access, which this malware has." McAfee is preparing a podcast about DroidDream.

While still investigating the malicious Google apps, Thakur said it's clear they are designed to act as a downloader for what could be more malware and are designed to "steal information, such as the properties of the phone, the manufacturer's number, much more." The attacker likely has a financial motive for what they're doing, perhaps to push out premium SMS messages.

Thakur said that while Symantec's Android security software today would recognize the malicious apps not unlike the way it might detect a computer virus traditionally, the goal is to further develop defense so that detection, blocking and eradication is based more on behavior.

"We will reach the stage where we will be between the apps," for behavior-based defense, he says. Since Android is still so very new, a lot of research in the vendor community is ongoing to evolve a security defense.

The slew of malicious Google apps is providing a source of study for that. But what happened this week could occur in the future. Most of the malicious Google Android apps to date have been on third-party Web sites, but this week's episode of the malicious Google Apps on the Android market 'calls into question the vetting process," says Thakur. But he adds no one has control over that except Google.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags GoogleNetworkingsecuritywirelessanti-malwaremobile apps

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?