The apps had been available in the Android Market for more than two months, and had been downloaded more than 210,000 times, according to researchers at NC State University. These researchers initially identified the so-called Plankton code as malicious in the apps, as well as a possible new Android Trojan called YZHCSMS infecting other apps.
But as of this post, mobile security experts at Lookout Security have not yet confirmed whether these two new Android samples are officially malware or just aggressive spyware-type code used for marketing purposes.
"These two families are a lot more of a gray area than previous pieces of malware in Android," says Kevin Mahaffey, CTO and founder of Lookout, who says his firm is still studying the code. "Plankton doesn't actually look like malware," he says. "A component in it claims to gather your browsing history and put bookmarks into your phone ... But it links to a EULA [End User License Agreement] that is upfront that this framework" operates that way, he says.
"It's not clear to us that it's malicious in its intent. Do you want this on your phone? Probably not. This is the world of gray in mobile apps," he says.
Among the apps on the Android Market found by NC State with Plankton are those from developer Crazy Apps: Shake To Fake (Fake call); Angry Birds Rio Unlock; Angry Birds Cheater; Angry Birds Multi User!; Favorite Games Backup; Call Ender; Bring Me Back My Droid!; and Chit Chat. Other infested apps were Guess the Logo and Snake Kaka, according to Xuxian Jiang, the NC State researcher who reported the findings today. Jiang and his team earlier this month spotted an Android malware family called DroidKungFu that can "root" Android smartphones.
Jiang says that Google had removed the 10 Plankton apps.
A Google spokesperson did not confirm any numbers, but says the apps were "suspicious." "We're aware of and have suspended a number of suspicious applications from Android Market. We remove apps and developer accounts that violate our policies," the spokesperson said.
According to NC State, Plankton appears to operate as stealthy botnet code that hides out and collects the Android device ID and host app permissions, and then shoots that data to a remote command-and-control server. The phone is then loaded with code that accesses bookmarks, browsing history, and the runtime log. Xiang and his team say that while Plankton is currently only performing data-harvesting, it has the ability to deliver root exploits that could gain total control of the phone.
There's no official count yet from NC State on the number of apps rigged with the YZHCSMS code, but so far only one app was found to have it on the Android Market -- and Google has removed it, Jiang says. "It mainly targets alternative [Android app] markets," Jiang says.
YZHCSMS grabs premium phone numbers from a remote server and then sends SMS text messages that get charged to the victim's phone every 50 minutes, according to NC State. The bizarre part about the code is that it erases the SMS messages as well as any billing text messages from the phone's service provider in an attempt to keep the ruse going. It was sitting in the Android Market for at least three months, and has also been spotted in alternative Chinese app markets and forums.
Mobile devices are the next big attack vector, and Google's Android is becoming a major target for attackers -- mainly due to its open architecture as well as the wide open Android Market.
But Lookout's Mahaffey says it's become increasingly difficult to determine whether mobile apps are actually malicious or merely too invasive. And if they are just too invasive, it's also hard to assess whether that's purposeful or inadvertent.
Even if the EULA says the app reads your browser history, that doesn't necessarily make it OK, he says. "I don't want it to read my browser," he says. "This is a really important milestone for the mobile world: You have to be careful when looking at what these apps are doing. And a lot of times, it's not clear on what the judgment call of what it is."
In March, Google removed some 50 free apps from the Android Market store after they were discovered to be carrying malware that "roots" the phone, steals data, and installs a back door. An estimated 20,000 to 500,000 users had downloaded the infected apps, most of which were pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say.
"Two things are what attackers go after [on Android]: control [of] your phones or access [to] your data," Jiang says. A copy of the abstract of NC State's findings are available here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.