Google Android Malware Gets Its Comeuppance; Malicious Apps Pulled3:06 PM EST Wed. Mar. 02, 2011
More than 50 malware hosting apps have been removed from Google Android and their developers have been shown the door.
Android's openness, compared to other popular mobile device platforms like Apple's iPhone and RIM's BlackBerry, have made it a prime target for hackers and malware writers looking to steal data and make a few bucks.
And this week a total of 52 malicious Android apps containing malware were removed from the official Google Android Market, its apps market place.
It started like this: An Android developer allegedly ripped off 21 popular apps that are free in the Android Market and injected a root exploit into the apps and uploaded to the Android Market where they were downloaded between 50,000 and 200,000 times. The malware-injected Android apps were discovered by a reddit reader by the name of lompolo, who submitted a post to reddit highlighting the discovery of the bad Google Android apps in the Android Market. Then, Android Police took a look at the offending apps and found that they not only root a smartphone but "it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID." The malicious apps also have the ability to download more code.
"In other words, there's no way to know what the app does after it's installed, and the possibilities are nearly endless," Android Police wrote.
According to Android Police, it notified Google about the problem, and the 21 apps were removed. Google also terminated the developer's account. The developer that allegedly injected the apps with the malware goes by Myournet.
Symantec also weighted in, pointing out that Myournet wasn't the only offender making malicious apps for the legitimate Google Android Market, a turnaround from making applications for unofficial Android marketplaces that can root the phone, harvest data or open a back door.
"Apparently some malicious authors where not satisfied just sticking with this routine. We have become aware of a selection of malicious applications following this trend; however, they are available on the official Android Market," Symantec wrote in a blog post on Wednesday highlighting the new Android threats. "The applications in question are popular free apps, bundled with malware, that have then been republished in the official marketplace under different application and publisher names...Google has taken action and has removed these apps from the official Android marketplace."
Next: Android Malware Writers Kick It 'Root' Down
According to Symantec, the Android Packages (.apk) include the file "rageagainstthecage," which is a tool commonly used to root the phone. In legitimate circumstances, this file can be used by the owner of the phone to acquire administrative rights on his or her phone. In the case of the attack, however, rooting the phone can allow the malware called Android.Rootcager to perform more than the usual activities, like taking screen shots not commonly allowed on Android phones.
Android.Rootcager in roots the phone without user consent to perform various activities, Symantec continued. DownloadProvidersManager.apk is dropped by the malware to monitor installed applications and download additional packages of code as a background service. The malware also attempts to record IMEI and IMSI numbers, which can be used to identify mobile phones, and upload the data to an external Web site.
Along with Myournet, Android Market applications developed by kingmall2010 and we20090202 may also contain malware. Overall, Symantec identified 52 apps from those three developers that may be affected.
"If users feel that they may have installed one of these apps, they should also check com.android.providers.downloadsmanager (DownloadManageService) in the 'running services' settings of the phone, Symantec said.
The discovery and removal of the malicious apps designed to resemble legitimate applications is just the latest in a series of Google Android threats targeting the increasingly popular mobile device platform.
Earlier this week, Symantec discovered a Google Android Trojan that poses as a legitimate application to unleash a botnet onto an Android device to steal data and manipulate device function. The new Android.Pjapps Trojan is spreading throughout Google Android via altered versions of legitimate applications hosted on unregulated third-party Android marketplaces, Symantec said.
The Android.Pjapps Trojan followed on the heels of two other recent Android-targeted Trojans, Android.Adrd and Android.Geinimi.
Security pros have flagged Google Android as the next great mobile malware battle ground.
In a recent interview with CRN, Adam Wosotowsky, principal engineer at McAfee Labs, told CRN that Google's Android mobile platform has become a prime target, more so than its mobile OS counterparts from Apple and RIM BlackBerry. Android has bubbled to the top because it has looser restrictions on developing and building applications for the platform.
"In the case of Android, it's a lot easier to write an application to it," Wosotowsky said.
At the 2011 Kaspersky Americas Partner Conference last month, Kurt Baumgartner, senior security researcher for Kaspersky Labs said that as the mobile arena grows, exploits and spyware are being aimed at the Android platform.
"Really clever people are trying to force spyware onto the Droid," he said.