Google Removes More Android Malware

Google has removed 10 more malware-bearing applications from the official Android Market, according to the security researcher who discovered the malicious code.

The incident is the latest headache for Google over its Android application market, which has had to be repeatedly cleared of malicious code.

‘Plankton’

Xuxian Jiang, an assistant professor of computer science at North Carolina State University, discovered a piece of Android spyware he called “Plankton” during the course of an Android research project.

The malware harvests data from the phone, including bookmarks, bookmark history and the home page of the device’s built-in browser.

All of the applications Jiang analysed claimed to be add-ons or cheats for the game “Angry Birds”. The only function provided by the applications was to the delivery of the Plankton code, however.

Unlike some previous malware Plankton does not attempt to gain root access to Android phones itself. However, it has the ability to remotely access a control server in order to download additional functionality, according to Jiang.

“This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar,” Jiang said in an analysis of the malware published on Thursday. “In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality.”

Jiang said he found at least 10 applications on the Android Market from three different developers. These were suspended by Google on 5 June following notification by Jiang, he said.

Stealthy design

“Its stealthy design also explains why some earlier variants have been there for more than 2 months without being detected by current mobile anti-virus software,” Jiang wrote.

Jiang has previously notified Google of malware including DroidKungFu and YZHCSMS on unauthorised Chinese application markets. DroidKungFu uses the same exploits to gain root operating system access as did DroidDream, the first malware found on the Android Market.

Android has become the top focus for malware programmers, according to a May study from Juniper Networks, which found a 400 percent increase in Android malware since the summer of 2010.

The “Malicious Mobile Threats Report 2010/2011″ was compiled by the Juniper Networks Global Threat Center (GTC) research facility. It found that mobile devices have become the latest focus for malware writers, with Android the fastest-growing target.

Juniper’s study found that, despite application downloads representing the main source of infections, the vast majority of smartphone users are not using antivirus software to scan downloads for malware.

No security software

The increase in security threats is a result of user disinterest in security, large numbers of downloads from unknown or unvetted sources and the absence of mobile device security software, according to Juniper.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation,” said Dan Hoffman, Juniper’s chief mobile security evangelist, in a statement. “There are specific steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand.”

The study found that 17 percent of all reported infections were due to SMS Trojans sending SMS messages to premium rate numbers.