Risk
6/1/2011
03:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Removes Malware Apps From Android Market

Twenty-six applications containing DroidDreamLight were deleted from the Android Market, and Google suspended six developer accounts for hosting apps with the malware.

Google this week removed a swath of applications from the official Android Market that were found to contain malware known as "DroidDream Light," which is designed to compromise people's data. As part of that effort, Google also apparently suspended six developer accounts--BeeGoo, DroidPlus, E.T. Tean, GluMobi, Magic Photo Studio, and Mango Studio--that had hosted applications containing the malware.

All told, 26 applications were found to contain DroidDream Lite, which is a stripped-down version of DroidDream. An estimated 30,000 to 120,000 users had downloaded the applications infected with DroidDream Lite. According to Tim Wyatt, principal engineer at security firm Lookout, the malware was "likely created by the same developers who brought DroidDream to market back in March," he said in a blog post.

Lookout found the malware-laden applications "thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market," said Wyatt. "Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples." Lookout then identified a further 24 infected applications and contacted Google, which rapidly removed the applications.

"We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokesperson said in an email on Wednesday. But Google declined to comment on how many people might have been affected, or whether it would use its Android kill switch to remotely purge the infected apps from users' smartphones.

DroidDream Lite is dangerous because it can work without users launching the program in which it's hidden. According to a Juniper Networks blog post, "the malicious code is invoked upon receipt of a phone call, which kicks off the gathering and transmitting of the device's IMEI number, IMSI number, a list of installed applications, the device model, and the SDK version to a third party server." The International Mobile Equipment Identity (IMEA) is a number--typically unique-- that's used to identify a mobile device, while the International Mobile Subscriber Identity is a unique number used to identify a subscriber.

As with DroidDream, which infected 260,000 Android smartphones, "DroidDream Lite is then capable of downloading and installing additional applications to the device which could come with any number of different malicious capabilities," said Juniper. But DroidDream Lite doesn't appear to be able to install these applications silently, meaning that some user interaction would be required.

Juniper warned any Android users who had downloaded these applications to watch out for possible attacks from third-party servers that might try to push new applications. "It is possible that the device-identifying information that is collected will be used to register the device to the third-party server and used to allow infected devices to download the additional applications," said Juniper.

Last month, the networking vendor published research showing that since the summer of 2010, attacks against devices that use the Android operating system had jumped by 400%. Juniper attributed this increase to the powerful Android software development kit, freely distributed by Google to increase interest in its operating system, as well as a majority of smartphone users failing to run antivirus software on their devices.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.