Risk
6/1/2011
03:46 PM
50%
50%

Google Removes Malware Apps From Android Market

Twenty-six applications containing DroidDreamLight were deleted from the Android Market, and Google suspended six developer accounts for hosting apps with the malware.

Google this week removed a swath of applications from the official Android Market that were found to contain malware known as "DroidDream Light," which is designed to compromise people's data. As part of that effort, Google also apparently suspended six developer accounts--BeeGoo, DroidPlus, E.T. Tean, GluMobi, Magic Photo Studio, and Mango Studio--that had hosted applications containing the malware.

All told, 26 applications were found to contain DroidDream Lite, which is a stripped-down version of DroidDream. An estimated 30,000 to 120,000 users had downloaded the applications infected with DroidDream Lite. According to Tim Wyatt, principal engineer at security firm Lookout, the malware was "likely created by the same developers who brought DroidDream to market back in March," he said in a blog post.

Lookout found the malware-laden applications "thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market," said Wyatt. "Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples." Lookout then identified a further 24 infected applications and contacted Google, which rapidly removed the applications.

"We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokesperson said in an email on Wednesday. But Google declined to comment on how many people might have been affected, or whether it would use its Android kill switch to remotely purge the infected apps from users' smartphones.

DroidDream Lite is dangerous because it can work without users launching the program in which it's hidden. According to a Juniper Networks blog post, "the malicious code is invoked upon receipt of a phone call, which kicks off the gathering and transmitting of the device's IMEI number, IMSI number, a list of installed applications, the device model, and the SDK version to a third party server." The International Mobile Equipment Identity (IMEA) is a number--typically unique-- that's used to identify a mobile device, while the International Mobile Subscriber Identity is a unique number used to identify a subscriber.

As with DroidDream, which infected 260,000 Android smartphones, "DroidDream Lite is then capable of downloading and installing additional applications to the device which could come with any number of different malicious capabilities," said Juniper. But DroidDream Lite doesn't appear to be able to install these applications silently, meaning that some user interaction would be required.

Juniper warned any Android users who had downloaded these applications to watch out for possible attacks from third-party servers that might try to push new applications. "It is possible that the device-identifying information that is collected will be used to register the device to the third-party server and used to allow infected devices to download the additional applications," said Juniper.

Last month, the networking vendor published research showing that since the summer of 2010, attacks against devices that use the Android operating system had jumped by 400%. Juniper attributed this increase to the powerful Android software development kit, freely distributed by Google to increase interest in its operating system, as well as a majority of smartphone users failing to run antivirus software on their devices.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.