Risk
6/1/2011
03:46 PM
50%
50%

Google Removes Malware Apps From Android Market

Twenty-six applications containing DroidDreamLight were deleted from the Android Market, and Google suspended six developer accounts for hosting apps with the malware.

Google this week removed a swath of applications from the official Android Market that were found to contain malware known as "DroidDream Light," which is designed to compromise people's data. As part of that effort, Google also apparently suspended six developer accounts--BeeGoo, DroidPlus, E.T. Tean, GluMobi, Magic Photo Studio, and Mango Studio--that had hosted applications containing the malware.

All told, 26 applications were found to contain DroidDream Lite, which is a stripped-down version of DroidDream. An estimated 30,000 to 120,000 users had downloaded the applications infected with DroidDream Lite. According to Tim Wyatt, principal engineer at security firm Lookout, the malware was "likely created by the same developers who brought DroidDream to market back in March," he said in a blog post.

Lookout found the malware-laden applications "thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market," said Wyatt. "Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples." Lookout then identified a further 24 infected applications and contacted Google, which rapidly removed the applications.

"We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokesperson said in an email on Wednesday. But Google declined to comment on how many people might have been affected, or whether it would use its Android kill switch to remotely purge the infected apps from users' smartphones.

DroidDream Lite is dangerous because it can work without users launching the program in which it's hidden. According to a Juniper Networks blog post, "the malicious code is invoked upon receipt of a phone call, which kicks off the gathering and transmitting of the device's IMEI number, IMSI number, a list of installed applications, the device model, and the SDK version to a third party server." The International Mobile Equipment Identity (IMEA) is a number--typically unique-- that's used to identify a mobile device, while the International Mobile Subscriber Identity is a unique number used to identify a subscriber.

As with DroidDream, which infected 260,000 Android smartphones, "DroidDream Lite is then capable of downloading and installing additional applications to the device which could come with any number of different malicious capabilities," said Juniper. But DroidDream Lite doesn't appear to be able to install these applications silently, meaning that some user interaction would be required.

Juniper warned any Android users who had downloaded these applications to watch out for possible attacks from third-party servers that might try to push new applications. "It is possible that the device-identifying information that is collected will be used to register the device to the third-party server and used to allow infected devices to download the additional applications," said Juniper.

Last month, the networking vendor published research showing that since the summer of 2010, attacks against devices that use the Android operating system had jumped by 400%. Juniper attributed this increase to the powerful Android software development kit, freely distributed by Google to increase interest in its operating system, as well as a majority of smartphone users failing to run antivirus software on their devices.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.