50 Android Market Apps Found Harboring Malware

Google takes pirated apps offline, but many Android users smartphones could still be at risk

It was only a matter of time before the bad guys took advantage of the open Android Market in a big way: Google removed some 50 free apps this week from the store after they were discovered to be carrying malware that roots the phone, steals data, and installs a back door.
But the discovery came a few days after the apps hit the Android Market, so an estimated 20,000 to 500,000 users may already have downloaded the infected apps, most of which are pirated versions of legitimate Android apps, including Super Guitar Solo, Music Box, Advanced Barcode Scanner, and Spiderman, mobile security experts say. A user on Reddit
first flagged the malware
, and then Lookout Security found additional infected apps, all of which contain a piece of malware called DroidDream.
Google doesnt vet or security-scan apps submitted to its open, community-based app market, but security experts say the invasion of rogue apps could ultimately pressure the search engine giant to add some form of vetting applications before they hit the Market. Its all based on user comments and rankings of apps, and notifications to the user on what functions in the phone the app wants to use before he downloads it. Its totally up to the user, says Chris Wysopal, CTO of Veracode. This is not really working.
Google was not available to comment on any plans to change up the app submission process.
Security experts had been predicting that Androids open market could backfire. Apple does some security vetting of apps for the iPhone. We knew this was going to happen, Wysopal says, noting that the discovery syncs with worries that cybercriminals would eventually spread malware by modifying legitimate apps. This is something weve seen a lot in China, and with the original Windows Mobile [platform], he says.
Wysopal says Google may have to start at least scanning apps for known malware threats. The so-called rageagainstthecage rooting exploit and DroidDream were both known pieces of malware that could have been detected, he says.
Googles Android platform has been on a major growth spurt, and with that popularity comes a big bulls eye. Just this week, researchers
found a new Trojan called Android.Pjapps
in legitimate Android apps and that builds a botnet.
[Android] becomes more attractive as a target as its adoption grows, says Andy Chou, chief scientist and co-founder of Coverity. And the number of smartphones is expected to exceed the number of PCs soon.
Chou says an even bigger opportunity for the bad guys is going after the Android platform itself. He recently scanned a development version of the Android OS he got from Google, MSM Development Branch 2.6.35, in which he found a total of 149 software defects, 22 of which were considered high risk. Chou gave his findings to Google.
Attacks on the core operating system or other components that are widely distributed would be more severe, Chou says. Ultimately, we will see attacks at that level as the platform becomes more widely deployed.
One of the biggest challenges here is how different vendors customize the Android OS, and even use different versions on it for their platforms, making patching difficult.
Meanwhile, the DroidDream-infested Android apps so far appear to be the handiwork of a single developer who used three different developer names, Kingmall2010, we20090202, and Myournet. Kevin Mahaffey, co-founder and CTO at mobile security provider Lookout Security, says Lookouts research was able to discern it was just one developer due to the way he packaged the apps.
The infected apps gain root control of the smartphone, which means the attacker can get hold of any data on the phone. Whats really scary is that its capable of downloading new code and installing that on the phone ... so it could install a botnet or spyware, Veracodes Wysopal says.
So when Google remotely wipes or kills the bad apps from Androids, the device remains rooted, he notes. As far as I know, there are not tools yet to clean this up. You have to completely restart the device from scratch and reset it to its factory-state, he says.
Wysopal says having rooted Androids out there is dangerous. This gets fixed in Android 2.2. and 2.3, but one of problems with the Android market is the OS is very fragmented ... there are providers that customize it and arent able to patch for that vulnerability, he says. So even if theres a fix issued for the root, a lot of Androids are running older versions of the OS that cant get updated.
So some other guy can do the same thing all over again. Whats to stop this [attack] from happening again tomorrow? Wysopal says.
Lookouts Mahaffey says his company is
working on a cleanup tool
and hopes to release it shortly, and that its mobile anti-malware service now catches DroidDream, although the new unknown variant used in the rogue apps slipped by it initially. We caught them last night, he says.
Its unclear just what the attackers behind the rogue apps are after, however. Mahaffey says the command-and-control function isnt actively sending commands, so it may just be in the experimental phase.
What they are doing is a little bit of a mystery, Veracodes Wysopal says. The attacker may be exploring building mobile botnets ... they likely are going to use them for what weve seen in special-purpose malware: premium SMS dialing and ad-click fraud.
A Kaspersky Lab researcher studying the Super Guitar Solo app says it can get the product ID, device type, language, country, and userID, as well as other information on the phone, which can be uploaded to a remote server.
This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format, he
blogged
.
A complete list of the phony and malicious Android apps is
here from Symantec
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
50 Android Market Apps Found Harboring Malware