Welcome Guest. | Log In | Register | Membership Benefits

50 Android Market Apps Found Harboring Malware

Google takes pirated apps offline, but many Android users' smartphones could still be at risk

Mar 02, 2011 | 04:14 PM | 

By Kelly Jackson Higgins
Dark Reading
It was only a matter of time before the bad guys took advantage of the open Android Market in a big way: Google removed some 50 free apps this week from the store after they were discovered to be carrying malware that "roots" the phone, steals data, and installs a back door.

But the discovery came a few days after the apps hit the Android Market, so an estimated 20,000 to 500,000 users may already have downloaded the infected apps, most of which are pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say. A user on Reddit first flagged the malware, and then Lookout Security found additional infected apps, all of which contain a piece of malware called DroidDream.

Google doesn't vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market. It's all based on user comments and rankings of apps, and notifications to the user on what functions in the phone the app wants to use before he downloads it. "It's totally up to the user," says Chris Wysopal, CTO of Veracode. "This is not really working."

Google was not available to comment on any plans to change up the app submission process.

Security experts had been predicting that Android's open market could backfire. Apple does some security vetting of apps for the iPhone. "We knew this was going to happen," Wysopal says, noting that the discovery syncs with worries that cybercriminals would eventually spread malware by modifying legitimate apps. "This is something we've seen a lot in China, and with the original Windows Mobile [platform]," he says.

Wysopal says Google may have to start at least scanning apps for known malware threats. The so-called "rageagainstthecage" rooting exploit and DroidDream were both known pieces of malware that could have been detected, he says.

Google's Android platform has been on a major growth spurt, and with that popularity comes a big bull's eye. Just this week, researchers found a new Trojan called Android.Pjapps in legitimate Android apps and that builds a botnet.

"[Android] becomes more attractive as a target as its adoption grows," says Andy Chou, chief scientist and co-founder of Coverity. "And the number of smartphones is expected to exceed the number of PC's soon."

Chou says an even bigger opportunity for the bad guys is going after the Android platform itself. He recently scanned a development version of the Android OS he got from Google, MSM Development Branch 2.6.35, in which he found a total of 149 software defects, 22 of which were considered "high risk." Chou gave his findings to Google.

"Attacks on the core operating system or other components that are widely distributed would be more severe," Chou says. "Ultimately, we will see attacks at that level as the platform becomes more widely deployed."

One of the biggest challenges here is how different vendors customize the Android OS, and even use different versions on it for their platforms, making patching difficult.

Meanwhile, the DroidDream-infested Android apps so far appear to be the handiwork of a single developer who used three different developer names, "Kingmall2010," "we20090202," and "Myournet." Kevin Mahaffey, co-founder and CTO at mobile security provider Lookout Security, says Lookout's research was able to discern it was just one developer due to the way he packaged the apps.

The infected apps gain root control of the smartphone, which means the attacker can get hold of any data on the phone. "What's really scary is that it's capable of downloading new code and installing that on the phone ... so it could install a botnet or spyware," Veracode's Wysopal says.

So when Google remotely "wipes" or "kills" the bad apps from Androids, the device remains rooted, he notes. "As far as I know, there are not tools yet to clean this up. You have to completely restart the device from scratch and reset it to its factory-state," he says.

Wysopal says having rooted Androids out there is dangerous. "This gets fixed in Android 2.2. and 2.3, but one of problems with the Android market is the OS is very fragmented ... there are providers that customize it and aren't able to patch for that vulnerability," he says. So even if there's a fix issued for the root, a lot of Androids are running older versions of the OS that can't get updated.

"So some other guy can do the same thing all over again. What's to stop this [attack] from happening again tomorrow?" Wysopal says.

Lookout's Mahaffey says his company is working on a cleanup tool and hopes to release it shortly, and that its mobile anti-malware service now catches DroidDream, although the new unknown variant used in the rogue apps slipped by it initially. "We caught them last night," he says.

It's unclear just what the attackers behind the rogue apps are after, however. Mahaffey says the command-and-control function isn't actively sending commands, so it may just be in the experimental phase.

"What they are doing is a little bit of a mystery," Veracode's Wysopal says. "The attacker may be exploring building mobile botnets ... they likely are going to use them for what we've seen in special-purpose malware: premium SMS dialing and ad-click fraud."

A Kaspersky Lab researcher studying the Super Guitar Solo app says it can get the product ID, device type, language, country, and userID, as well as other information on the phone, which can be uploaded to a remote server.

"This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format," he blogged.

A complete list of the phony and malicious Android apps is here from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Security Services Reports

report Using Service Providers To Manage DDoS Threats
When it comes to the battle against distributed denial-of-service attacks, you are not alone. With the increasing use of third-party service providers, your organization likely has a huge arsenal of bandwidth, technology and know-how at its disposal. The challenge is to effectively marshal those resources among your providers and integrate them with your own security measures into a strategic and comprehensive DDoS protection plan.

report Hosted Web Security Services: Block Malware Before Your Border
Security service providers are now delivering a wide range of packaged offerings, including Web content filtering, anti-malware, data leak prevention, and many other capabilities. How can your organization take advantage of these Web security services, and how can you choose the right provider? This Dark Reading Tech Center report offers a look at these services and some recommendations on how best to implement them.

report You've Got (Secure) Mail: Using Service Providers to Boost Protection
The SaaS market is still in its infancy, but hosted e-mail security firms are leading the way, thanks to ease of implementation and many obvious benefits. Still, these services are not without risks. In this Dark Reading Tech Center report, we'll discuss how to determine what mix of in-house and hosted email security makes sense for your organization.

Other reports from the Security Services Tech Center:

Related Content

Establishing a Formal Cyber Intelligence Capability
Organizations are realizing that advanced intelligence capabilities consistently deliver substantial cost savings - with proactive insights on true threats, the intelligence to avoid false alarms, and the system and application availability required to preserve revenues and customer loyalty. But achieving these benefits requires organizations to establish a formal cyber intelligence capability. Read this whitepaper to learn about a proven, repeatable process with clearly established steps for setting up an in-house cyber security intelligence operation.

DDoS Mitigation: Best Practices for a Rapidly Changing Threat Landscape
Although DDoS attacks have become a mainstay of hackers' arsenals, their profile has changed considerably in the past year, making them an even greater threat to companies that conduct business online. DDoS attacks are larger, stealthier, more targeted, and more sophisticated than ever. Get best practices to enable your organization to keep pace with DDoS attacks while minimizing impact on business operations.

2012 Cyber Crime Threats and Trends
Get the highlights of 2011 cyber security trends and how those trends and others might unfold in 2012. This report is a strategic complement to daily tactical intelligence reports and provides IT security and business operations with actionable and relevant decision support.

Using Hybrid Routing to Optimize DNS Resolution Performance and Reliability
To create a satisfactory end user experience, enterprises must ensure that DNS resolution is fast and reliable. Learn more about how using a hybrid routing solution can greatly maximize performance while minimizing latency-and address your business' specific needs along the way.

A Cost Analysis of Approaches To DDoS Protection.
All organizations with an online presence or dependence on Internet-based systems need to fortify their defenses against DDoS attacks. DDoS can cost an organization in tangible losses and in more subtle ways. Read this whitepaper for a deeper perspective on the cost benefits of a dedicated, cloud-based DDoS service over an in-house hardware solution or over-provisioning through your ISP.




Featured Webcasts
Featured Whitepapers
Featured Reports