Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Google yanks over 50 infected apps from Android Market

Could trigger remote removal to delete malicious apps from users' phones

Google has pulled more than 50 malware-infected apps from its Android Market, but hasn't yet triggered automatic uninstalls of those programs from users' phones, security experts said today.

"The apps were 'Trojanized,' for a better word," said Tom Parsons, a senior manager with Symantec's security response team. "With the phones being 'rooted,' the attacks can do almost anything, including pulling data off the phone," he said, referring to the malware's ability to gain root access to the devices.

The apps were available for about four days on the Android Market, Google's official app store. According to San Francisco-based smartphone security firm Lookout, between 50,000 and 200,000 copies of the apps were downloaded by users.

All the apps were infected with the same malicious code, said Kevin Mahaffey, the CTO of Lookout, and came from three different publishers. The malware, dubbed "DreamDroid," lets attackers compromise Android smartphones, then connect them to a command-and-control server (C&C) which can issue orders to the devices.

In some cases, the malicious apps were pirated versions of legitimate Android software.

Mahaffey called the appearance of so many infected apps on the official Android Market a turning point in mobile malware. "This was a tier 1 market that had a significant number of malicious apps that were downloaded a significant number of times," he said.

Previously, malware-infected Android apps, like the bogus "Steamy Window" app that Symantec discovered Monday, were posted on third-party download sites, not Google's own e-mart.

Mahaffey confirmed that Google has yanked the 50-some apps from the Android Market, but said that as of late last night, the mobile OS maker had not pulled those apps from users' phones.

Like other mobile app distributors, such as Apple, Google has the ability to flip a switch that remotely removes questionable or malicious apps from all Android smartphones. Google has pulled the uninstall switch at least once before, in June 2010.

"Google's very responsible with that power," said Mahaffey, explaining why the apps have been pulled from the Android Market but not yet removed from users' phones. "They want to make sure that it's used only in cases when they're sure they're removing only malware."

Google declined to comment on what actions it has taken so far to protect users.

Mahaffey said Lookout is still analyzing the malware, its capabilities and how the attackers hoped to profit from the compromised smartphones, but said his company's initial investigation had uncovered a C&C server located in Fremont, Calif.

The infected phones are communicating with the server and sending information -- including the user-specific subscriber identifier, also known as the IMSI (International Mobile Subscriber Identity), and the phone's SIM card's serial number -- via an encrypted channel. The C&C server seems to be hosted on a legitimate system that hackers had breached previously.

Parsons and Mahaffey differed when asked how the incident reflected on Google and the security of its Android Market.

"More than anything, it shows how popular Android is," said Parsons. "Google has a major challenge vetting nearly a thousand new apps each day, and this may indicate that that vetting isn't robust enough."

But Mahaffey saw a silver lining in the cloud.

"I'd argue that it speaks to the openness of the Android platform that a user was empowered [enough] to notice [a malicious app]," Mahaffey argued, referring to reports that an Android smartphone owner was the first to go public with his suspicions. "We will see more people be more vigilant."

Both Parsons and Mahaffey applauded Google for quickly responding -- within minutes of the first reports -- to the situation by deleting the apps in question from its marketplace.

"After this, there will increased vigilance by a lot of people," said Mahaffey, hinting at Google's likely wake-up call. "For users, the best advice is to pay attention to what you download."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Google, IMSI, Microsoft, MSI, Parsons, Symantec
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Google, Malware and Vulnerabilities, Mobile Apps and Services, Parsons, security, symantec
Latest Blog Posts
Whitepapers
  • Enterprise Buyers Guide for Cloud Storage
    Customer interest in public cloud storage is increasing, driven by the promise of affordable, elastic storage for archiving, backup/recovery, and disaster purposes. To understand the types of offerings available and to assist buyers with purchasing decisions Computerworld has prepared a public cloud storage buyers guide.
    Learn more »
  • HP Security Action Plan for Enterprise Printing and Imaging
    Security is a part of how we work. When you walk through the front door of your office every morning, you probably pass a level of security. At your desk, it’s likely you log in to your computer and access files over a secure server. From security badges and ID cards to network firewalls and software security, it may seem like your organisation has taken every measure to protect its property, people and data. This action plan outlines a step-by-step approach to help you develop a plan that improves the security of your printing and imaging environment and boosts your business.
    Learn more »
  • Managing IBM License Complexity
    IBM provides thousands of products in its portfolio and uses a variety of license models, contract terms and conditions. These license models can be very complex, causing frequent confusion for organisations trying to grasp the concepts while maintaining license compliance. While at first IBM licensing may seem incomprehensible, some education on the license models and licensing scenarios will help minimise the confusion. In addition, a more automated approach to managing licenses enables organisations to gain control, reduce ongoing software costs and minimise license liability risks. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments