Attacks/Breaches
3/2/2011
04:14 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

50 Android Market Apps Found Harboring Malware

Google takes pirated apps offline, but many Android users' smartphones could still be at risk

It was only a matter of time before the bad guys took advantage of the open Android Market in a big way: Google removed some 50 free apps this week from the store after they were discovered to be carrying malware that "roots" the phone, steals data, and installs a back door.

But the discovery came a few days after the apps hit the Android Market, so an estimated 20,000 to 500,000 users may already have downloaded the infected apps, most of which are pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say. A user on Reddit first flagged the malware, and then Lookout Security found additional infected apps, all of which contain a piece of malware called DroidDream.

Google doesn't vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market. It's all based on user comments and rankings of apps, and notifications to the user on what functions in the phone the app wants to use before he downloads it. "It's totally up to the user," says Chris Wysopal, CTO of Veracode. "This is not really working."

Google was not available to comment on any plans to change up the app submission process.

Security experts had been predicting that Android's open market could backfire. Apple does some security vetting of apps for the iPhone. "We knew this was going to happen," Wysopal says, noting that the discovery syncs with worries that cybercriminals would eventually spread malware by modifying legitimate apps. "This is something we've seen a lot in China, and with the original Windows Mobile [platform]," he says.

Wysopal says Google may have to start at least scanning apps for known malware threats. The so-called "rageagainstthecage" rooting exploit and DroidDream were both known pieces of malware that could have been detected, he says.

Google's Android platform has been on a major growth spurt, and with that popularity comes a big bull's eye. Just this week, researchers found a new Trojan called Android.Pjapps in legitimate Android apps and that builds a botnet.

"[Android] becomes more attractive as a target as its adoption grows," says Andy Chou, chief scientist and co-founder of Coverity. "And the number of smartphones is expected to exceed the number of PC's soon."

Chou says an even bigger opportunity for the bad guys is going after the Android platform itself. He recently scanned a development version of the Android OS he got from Google, MSM Development Branch 2.6.35, in which he found a total of 149 software defects, 22 of which were considered "high risk." Chou gave his findings to Google.

"Attacks on the core operating system or other components that are widely distributed would be more severe," Chou says. "Ultimately, we will see attacks at that level as the platform becomes more widely deployed."

One of the biggest challenges here is how different vendors customize the Android OS, and even use different versions on it for their platforms, making patching difficult.

Meanwhile, the DroidDream-infested Android apps so far appear to be the handiwork of a single developer who used three different developer names, "Kingmall2010," "we20090202," and "Myournet." Kevin Mahaffey, co-founder and CTO at mobile security provider Lookout Security, says Lookout's research was able to discern it was just one developer due to the way he packaged the apps.

The infected apps gain root control of the smartphone, which means the attacker can get hold of any data on the phone. "What's really scary is that it's capable of downloading new code and installing that on the phone ... so it could install a botnet or spyware," Veracode's Wysopal says.

So when Google remotely "wipes" or "kills" the bad apps from Androids, the device remains rooted, he notes. "As far as I know, there are not tools yet to clean this up. You have to completely restart the device from scratch and reset it to its factory-state," he says.

Wysopal says having rooted Androids out there is dangerous. "This gets fixed in Android 2.2. and 2.3, but one of problems with the Android market is the OS is very fragmented ... there are providers that customize it and aren't able to patch for that vulnerability," he says. So even if there's a fix issued for the root, a lot of Androids are running older versions of the OS that can't get updated.

"So some other guy can do the same thing all over again. What's to stop this [attack] from happening again tomorrow?" Wysopal says.

Lookout's Mahaffey says his company is working on a cleanup tool and hopes to release it shortly, and that its mobile anti-malware service now catches DroidDream, although the new unknown variant used in the rogue apps slipped by it initially. "We caught them last night," he says.

It's unclear just what the attackers behind the rogue apps are after, however. Mahaffey says the command-and-control function isn't actively sending commands, so it may just be in the experimental phase.

"What they are doing is a little bit of a mystery," Veracode's Wysopal says. "The attacker may be exploring building mobile botnets ... they likely are going to use them for what we've seen in special-purpose malware: premium SMS dialing and ad-click fraud."

A Kaspersky Lab researcher studying the Super Guitar Solo app says it can get the product ID, device type, language, country, and userID, as well as other information on the phone, which can be uploaded to a remote server.

"This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format," he blogged.

A complete list of the phony and malicious Android apps is here from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web