Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Google fights new batch of Android malware

Dozens of infected applications in Android Market

Article comments

For the second time in three months, Google yanked dozens of malware-infected smartphone apps from the Android Market. The 34 apps were pulled over the weekend and Tuesday by Google, after security researchers notified the company.

Google acknowledged giving some Android apps the heave-ho. "We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokeswoman said.

As in the March episode, when Google removed more than 50 apps, the newest round consisted of pirated legitimate programs that had been modified with malicious code and then re-released to the Android Market under false names.

But there was an important difference to this campaign, said Kevin Mahaffey, co-founder and CTO of Lookout. "These apps have the ability to fire up a page on the Android Market," said Mahaffey, adding that the hackers can send commands to the smartphone telling it which Market page to display.

He speculated that the attackers probably intended the new feature as a way to dupe users into downloading additional rogue apps that would have malicious functions, just as a hijacked PC is told to retrieve more malware. "They seem to have been designed to encourage people to install additional payloads," Mahaffey said.

Mahaffey said it was impossible to deduce hacker intent from the malicious apps' code, but he believed the criminals took the new path because social engineered attacks, those that rely on tricking victims into installing malware rather than depending on an exploited vulnerability, are more difficult to defend.

"Social engineered attacks are much more subtle, but very powerful because they're hard to protect against," said Mahaffey. "It could be they changed because either [the attackers] believed exploits were a dead giveaway, or they found this more effective."

Lookout and AVG Technologies uncovered malicious apps on the Android Market and reported their findings to Google. According to Mahaffey, Google pulled the apps "almost instantaneously."

It's unclear how the attackers planned to turn a profit on the new campaign of rogue apps. "They could do things like listen in to all the banking transactions [conducted using the smartphone]," said Omri Sigelman, the vice president of products at AVG Mobilation, AVG's mobile security arm.

Both Mahaffey and Sigelman said that the same group responsible for the March malware was behind the most recent attempt to infiltrate Android phones. The new rogue apps contained what Mahaffey called "Droid Dream Light," a stripped-down version of the DroidDream code used to infect apps in March.

Once a DroidDream-enabled app was downloaded and installed to an Android phone, the malware surreptitiously downloaded a second stage payload that contained one or more "root" exploits that give attackers complete control of the device.

This week's infected apps were downloaded and presumably installed by between 30,000 and 120,000 users, Lookout estimated. Google has not said what its next step will be.

But Mahaffey said Google will throw the "kill switch" on the rogue apps, remotely remove them from users' Android phones, in the near future. In March, Google pulled that switch four days after being notified of the infected apps.

At that time, Google also pushed an app of its own to affected users. The Android Market Security Tool March 2011 did not patch the underlying bugs that were exploited, but instead deleted traces of the malicious code that weren't erased when the apps were automatically uninstalled.

On Tuesday, Sigelman said that the new rogue apps also contained working exploits. "They aimed to root the device," Sigelman said.

Mahaffey said this second campaign showed both the persistence of cybercriminals, "they're going to keep trying" he predicted, and the failure of smartphone owners to understand what they held in their hands.

"This raises the importance of thinking of the phone as a computer," said Mahaffey. "It's a cat-and-mouse world, and the level of security [of a smartphone] has to be the same as a computer."

Lookout has published a list of the 34 infected Android apps on the company's blog.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *