Attacks/Breaches
3/2/2011
04:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

50 Android Market Apps Found Harboring Malware

Google takes pirated apps offline, but many Android users' smartphones could still be at risk

It was only a matter of time before the bad guys took advantage of the open Android Market in a big way: Google removed some 50 free apps this week from the store after they were discovered to be carrying malware that "roots" the phone, steals data, and installs a back door.

But the discovery came a few days after the apps hit the Android Market, so an estimated 20,000 to 500,000 users may already have downloaded the infected apps, most of which are pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say. A user on Reddit first flagged the malware, and then Lookout Security found additional infected apps, all of which contain a piece of malware called DroidDream.

Google doesn't vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market. It's all based on user comments and rankings of apps, and notifications to the user on what functions in the phone the app wants to use before he downloads it. "It's totally up to the user," says Chris Wysopal, CTO of Veracode. "This is not really working."

Google was not available to comment on any plans to change up the app submission process.

Security experts had been predicting that Android's open market could backfire. Apple does some security vetting of apps for the iPhone. "We knew this was going to happen," Wysopal says, noting that the discovery syncs with worries that cybercriminals would eventually spread malware by modifying legitimate apps. "This is something we've seen a lot in China, and with the original Windows Mobile [platform]," he says.

Wysopal says Google may have to start at least scanning apps for known malware threats. The so-called "rageagainstthecage" rooting exploit and DroidDream were both known pieces of malware that could have been detected, he says.

Google's Android platform has been on a major growth spurt, and with that popularity comes a big bull's eye. Just this week, researchers found a new Trojan called Android.Pjapps in legitimate Android apps and that builds a botnet.

"[Android] becomes more attractive as a target as its adoption grows," says Andy Chou, chief scientist and co-founder of Coverity. "And the number of smartphones is expected to exceed the number of PC's soon."

Chou says an even bigger opportunity for the bad guys is going after the Android platform itself. He recently scanned a development version of the Android OS he got from Google, MSM Development Branch 2.6.35, in which he found a total of 149 software defects, 22 of which were considered "high risk." Chou gave his findings to Google.

"Attacks on the core operating system or other components that are widely distributed would be more severe," Chou says. "Ultimately, we will see attacks at that level as the platform becomes more widely deployed."

One of the biggest challenges here is how different vendors customize the Android OS, and even use different versions on it for their platforms, making patching difficult.

Meanwhile, the DroidDream-infested Android apps so far appear to be the handiwork of a single developer who used three different developer names, "Kingmall2010," "we20090202," and "Myournet." Kevin Mahaffey, co-founder and CTO at mobile security provider Lookout Security, says Lookout's research was able to discern it was just one developer due to the way he packaged the apps.

The infected apps gain root control of the smartphone, which means the attacker can get hold of any data on the phone. "What's really scary is that it's capable of downloading new code and installing that on the phone ... so it could install a botnet or spyware," Veracode's Wysopal says.

So when Google remotely "wipes" or "kills" the bad apps from Androids, the device remains rooted, he notes. "As far as I know, there are not tools yet to clean this up. You have to completely restart the device from scratch and reset it to its factory-state," he says.

Wysopal says having rooted Androids out there is dangerous. "This gets fixed in Android 2.2. and 2.3, but one of problems with the Android market is the OS is very fragmented ... there are providers that customize it and aren't able to patch for that vulnerability," he says. So even if there's a fix issued for the root, a lot of Androids are running older versions of the OS that can't get updated.

"So some other guy can do the same thing all over again. What's to stop this [attack] from happening again tomorrow?" Wysopal says.

Lookout's Mahaffey says his company is working on a cleanup tool and hopes to release it shortly, and that its mobile anti-malware service now catches DroidDream, although the new unknown variant used in the rogue apps slipped by it initially. "We caught them last night," he says.

It's unclear just what the attackers behind the rogue apps are after, however. Mahaffey says the command-and-control function isn't actively sending commands, so it may just be in the experimental phase.

"What they are doing is a little bit of a mystery," Veracode's Wysopal says. "The attacker may be exploring building mobile botnets ... they likely are going to use them for what we've seen in special-purpose malware: premium SMS dialing and ad-click fraud."

A Kaspersky Lab researcher studying the Super Guitar Solo app says it can get the product ID, device type, language, country, and userID, as well as other information on the phone, which can be uploaded to a remote server.

"This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format," he blogged.

A complete list of the phony and malicious Android apps is here from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.