Risk

6/1/2011
03:46 PM
50%
50%

Google Removes Malware Apps From Android Market

Twenty-six applications containing DroidDreamLight were deleted from the Android Market, and Google suspended six developer accounts for hosting apps with the malware.

Google this week removed a swath of applications from the official Android Market that were found to contain malware known as "DroidDream Light," which is designed to compromise people's data. As part of that effort, Google also apparently suspended six developer accounts--BeeGoo, DroidPlus, E.T. Tean, GluMobi, Magic Photo Studio, and Mango Studio--that had hosted applications containing the malware.

All told, 26 applications were found to contain DroidDream Lite, which is a stripped-down version of DroidDream. An estimated 30,000 to 120,000 users had downloaded the applications infected with DroidDream Lite. According to Tim Wyatt, principal engineer at security firm Lookout, the malware was "likely created by the same developers who brought DroidDream to market back in March," he said in a blog post.

Lookout found the malware-laden applications "thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market," said Wyatt. "Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples." Lookout then identified a further 24 infected applications and contacted Google, which rapidly removed the applications.

"We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokesperson said in an email on Wednesday. But Google declined to comment on how many people might have been affected, or whether it would use its Android kill switch to remotely purge the infected apps from users' smartphones.

DroidDream Lite is dangerous because it can work without users launching the program in which it's hidden. According to a Juniper Networks blog post, "the malicious code is invoked upon receipt of a phone call, which kicks off the gathering and transmitting of the device's IMEI number, IMSI number, a list of installed applications, the device model, and the SDK version to a third party server." The International Mobile Equipment Identity (IMEA) is a number--typically unique-- that's used to identify a mobile device, while the International Mobile Subscriber Identity is a unique number used to identify a subscriber.

As with DroidDream, which infected 260,000 Android smartphones, "DroidDream Lite is then capable of downloading and installing additional applications to the device which could come with any number of different malicious capabilities," said Juniper. But DroidDream Lite doesn't appear to be able to install these applications silently, meaning that some user interaction would be required.

Juniper warned any Android users who had downloaded these applications to watch out for possible attacks from third-party servers that might try to push new applications. "It is possible that the device-identifying information that is collected will be used to register the device to the third-party server and used to allow infected devices to download the additional applications," said Juniper.

Last month, the networking vendor published research showing that since the summer of 2010, attacks against devices that use the Android operating system had jumped by 400%. Juniper attributed this increase to the powerful Android software development kit, freely distributed by Google to increase interest in its operating system, as well as a majority of smartphone users failing to run antivirus software on their devices.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.