Google pulls more malware from Android Market

NC State researcher finds stealthy attack code inside bogus 'Angry Birds' apps

Google removed more malware-infected applications from its Android Market last week, according to a security researcher who reported the rogue software to the company.

On June 5, Google yanked 10 apps from the market after Xuxian Jiang, an assistant professor in computer science at North Carolina State University, reported his findings to the company.

Jiang published an analysis of the malicious code, dubbed "Plankton," in a blog post last Thursday.

Andrew Brandt, lead threat research analyst at Webroot, has also dug into Plankton.

"It has the ability to remotely access a command-and-control [C&C] server for instructions, and upload additional payloads," Brandt said in an interview Friday. "It uses a very stealthy method to push any malware it wants to phone."

Unlike other code embedded in apps that have appeared in the market, Plankton doesn't rely on a vulnerability to "root," or gain complete control of the smartphone, said Brandt. Once the victim has installed the bogus app, however, Plankton can call in other files from the hacker-controlled server, including ones that would exploit one or more unpatched Android bugs.

"This is pretty serious," Brandt said.

Plankton also harvests data from the phone, including the bookmarks, bookmark history and home page of the device's built-in browser.

All 10 of the apps that Google pulled after Jiang's report purported to be add-ons or cheats for the popular mobile game "Angry Birds" from Finnish game company Rovio. None of the apps actually provided their promised functionality, however, but were simply the delivery vehicles for Plankton.

Plankton was not the first Android attack code that Jiang and his team have reported to Google.

Also on June 5, Jiang told Google of finding apps infected with "DroidKungFu" on unauthorized Chinese app stores, then two days later followed with a report of "YZHCSMS," a Trojan horse that racks up bills by sending hidden text messages to premium numbers.

DroidKungFu uses the same pair of exploits to root the smartphone as "DroidDream," the name given to the first malware bundled with apps in the Android Market.

YZHCSMS was found in Android apps on both Google's market and on Chinese download sites. According to Jiang, YZHCSMS-infected apps were available on the Android Market for at least three months before Google pulled them.

Malicious apps have become a persistent problem for Google, which has had to scrub the market several times since early March, when it pulled more than 50 programs able to compromise phones and remotely issue them commands.

Two weeks ago, Google suspended nearly three dozen malicious apps from the market. Experts tied the newer wave -- labeled "DroidDream Light" -- to the same group responsible for the Mach campaign.

Although Google may be scanning market apps for known malware, that does little good unless an antivirus company has crafted a signature that "fingerprints" the malware, Brandt said.

And with malware able to sneak into the Android Market -- and in some cases remain there for months -- it's unlikely Google has engineers scouring app code.

"It takes a lot of time and experience to evaluate code," said Brandt. "There are ways to do it in an automated fashion, but you really need a bit of human feel [to evaluate] commands and their sequence to tell if something's malicious."

Brandt's advice to Android owners?

"Use some common sense," he said. "These [Plankton] apps were supposed to do things like unlike "Angry Birds." But then why did they all ask for permission to connect to the Internet?"

Google was unavailable for comment late Sunday.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about mobile apps and services in Computerworld's Mobile Apps and Services Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags telecommunicationapplicationsMobile and WirelessMobile Apps and ServicesPhonesMobile operating systemsmobileMalware and VulnerabilitiesNorth Carolina State Universityconsumer electronicsGooglesmartphonesMobile OSessoftware

More about Andrew Corporation (Australia)AppleGoogleMicrosoftTopicWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts