Google Android's infected apps spotlight mobile danger

The Google Android Market for apps is supposed to be an apps showplace, but the fact that Google this week yanked down about 50 Android apps it found out were malicious came as something of a jolt to many in the security industry.

Background: Google yanks 21 malicious Apps from Android market

"We believe they all had the same malware," said Kevin Mahaffey, CTO at Lookout Mobile Security, which has taken to calling it the DroidDream infection. The apps were released under the Google-registered developer names "Kingmall2010," "we20090202," and "Myournet," which Lookout Mobile suspects are all the same person or group. At least one of the malicious apps is based on stolen software that was trojanized and submitted to Google.

The 50 or so include English, Japanese and Chinese language infected apps that were published under the names "Magic Strobe Light" to "Advanced File Manager" to "Magic Hypnotic Spiral" to "Screaming Sexy Japanese Girls." All were free. Earlier reports said Google Android marketplace had taken down 21 of them, but it's now believed they have all been removed.

This episode of large numbers of malicious Google apps is believed to have been originally discovered by a user of the popular news aggregation site Reddit who spotted the pirated apps, and another online source, Android Police, also took a close look and flagged it. Mahaffey calls it a "community response" to the malicious Google apps, which he notes has been one of the main forces working as a first responder to trouble.

Lookout Mobile and Symantec, which each have Android security software, are among security vendors that have blacklisted the malicious Google apps pinpointed this week, so anyone using their software that downloaded the DroidDream-injected apps would recognize and eliminate it.

However, Mahaffey acknowledged that Lookout is still working on a tool to wipe the final traces of the malware in terms of what he says is a "root shell" that it leaves. That tool is expected to be posted online for free soon.

Mahaffey says the DroidDream malware exploit process allows it to "break out of the security sandbox on Android," which he notes "you're not supposed to be able to do that." While investigation into the cache of DroidDream malware and what it can do to many types of Android devices is still continuing, Mahaffey says it appears that the ability of the malware to exploit an Android-based device is dependent on how well it's been patched. Patching is problematic since carriers have a role in patching, and it proceeds at intervals that are not necessarily easily perceived.

The DroidDream malware is far worse than anything that has hit the official Google Android Market to date. "There have been instances of spyware, but nothing this bad," Mahaffey said. Most major malware finds have come from independently-posted Android apps, not on the Google Android Market.

Vikram Thakur, Symantec principle security response manager at Symantec, agrees this episode is unprecedented in terms of Google Android market.

Dave Marcus, director of security research and communications at McAfee Labs, said, "What makes these significant is these apps are in the official Android marketplace, not from a third-party marketplace. Analysis has shown that these apps can break out of the typical sandbox that most apps reside in, to potentially gain control over the entire device and its data. In terms of attacks and malware, it doesn't get any worse than root access, which this malware has." McAfee is preparing a podcast about DroidDream.

While still investigating the malicious Google apps, Thakur said it's clear they are designed to act as a downloader for what could be more malware and are designed to "steal information, such as the properties of the phone, the manufacturer's number, much more." The attacker likely has a financial motive for what they're doing, perhaps to push out premium SMS messages.

Thakur said that while Symantec's Android security software today would recognize the malicious apps not unlike the way it might detect a computer virus traditionally, the goal is to further develop defense so that detection, blocking and eradication is based more on behavior.

"We will reach the stage where we will be between the apps," for behavior-based defense, he says. Since Android is still so very new, a lot of research in the vendor community is ongoing to evolve a security defense.

The slew of malicious Google apps is providing a source of study for that. But what happened this week could occur in the future. Most of the malicious Google Android apps to date have been on third-party Web sites, but this week's episode of the malicious Google Apps on the Android market 'calls into question the vetting process," says Thakur. But he adds no one has control over that except Google.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleNetworkingsecuritywirelessanti-malwaremobile apps

More about GoogleLANMcAfee AustraliaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts