Google Pulls Infected Apps From Android Market

Android malware

Android app users beware: Google has pulled more than 50 Android apps said to be infected with malware

In another sign that attackers continue to target the mobile sector, it has been revealed that more than 50 apps on Google’s Android market were infected with malware.

The apps, which had been available on Google’s Android Market, were said to contain rootkit malware ‘DroidDream’, which can take command of a mobile handset and send personal details to a remote server.

The infected apps were said to have seen 50,000 to 200,000 downloads in four days.

Malware Discovery

The news came to light after being uncovered by a Reddit user known as Lompolo. He then posted a warning that 21 apps were infected, which was picked up by the Android Police website.

No doubt aware of the severity of the problem, Android Police quickly contacted Google, and it seems that within five minutes of alerting them, Google reacted quickly and had pulled the apps from the Android Market.

Google also apparently exercised Android’s rarely used ‘remote application removal feature’ to remotely remove the infected apps from users’ Android devices.

Android Police discovered that not only did the infected apps root (i.e take complete control of)  people’s phones and send back personal information to servers, but they also downloaded and executed new code.

Downloads Code

“I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid,” wrote Aaron Gingrich of the Android Police.

“But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID,” Gingrich wrote. “But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.”

The infected apps were said to have been created after Lompolo spotted that a developer of the one of the malware apps, then proceeded to take take down legit apps and republish them using the developer name “Myournet”. But it seems that other developer’s apps were also been infected with  DroidDream.

According to smartphone security company Lookout, there are apparently 50-plus apps that were reportedly infected. A full listing of the infected apps can be seen here.

Open Android

This is not the first time that Android Apps have been doctored. Last month for example, two variants of Android malware were spotted in two alternative Android app markets aimed at the Chinese market. This was on top of the sophisticated Trojan named “Geinimi” that Lookout discovered in December 2010, in an alternative app store in China.

And in June last year, Google’s Android team removed two free applications from the Android Market, after citing violations of its developer terms. The applications apparently duped users into downloading them, although they were of little consequence.

Android’s market share has been growing rapidly and is thought to be close to becoming the world’s largest smartphone platform, helped by its thriving App market. The beauty of Android is that it is free to licence, which means that developers do not face potential barriers such as charges when putting apps on the Market, unlike the case with Apple’s App store. It thinks this model encourages innovation, but it also could lead to problems.

Google has for example previously taken issue with a report from SMobile Systems which suggested Google Android applications were leaving users open to identity theft.

That said, it is important to note that Android is not the only mobile platform being targeted by attackers. In June last year for example, Lookout discovered attackers were targeting Windows Mobile devices with malicious applications.

Google could not provide eWEEK Europe UK with an official comment at the time of writing.