Google in Android Market malware purge

Google has removed dozens of apps from its Android Market after discovering they were malware that compromised users' personal data.

More than 50 apps were found to be infected with malware capable of gaining root access to a device, harvesting data and installing additional malicious code, computer security researchers said Wednesday. Before being pulled from the marketplace, the malicious apps were downloaded by at least 50,000 Android users within a four-day period.

A Google spokesman declined to comment.

The malicious apps were pirated versions of popular, legitimate apps that cybercriminals bundled with malware and republished in the Android Market under different application and publisher names. They were posed by the publishers with handles “Kingmall2010,” “we20090202,” and “Myournet,” all of whom have been suspended.

The first batch of 21 malicious apps, which came from the publisher Myournet, was discovered by a user of the news aggregation site Reddit. Researchers at mobile security provider Lookout discovered a second lot that was posted by Kingmall2010 and alerted Google, said its chief technology officer Kevin Mahaffey.

Google then discovered a third set that was posted by we20090202.

It removed the malicious apps within minutes of being notified, Mahaffey said.

“It's impressive how quickly they responded to these issues,” he said.

Even though the apps were posted from different developer accounts, the way the malware was packaged indicated they came from the same person, Mahaffey said.

Flip to the next page to peer inside the workings of the Android malware.

Inside the Android malware

Once downloaded, the apps attempted to gain root access to a device using common exploit tools, such as “rageagainstthecage” or “exploid”.

They were often used by hobbyists to jailbreak or access the root account on their Android phones, Mahaffey said.

The apps then attempted to send data from the phone to a remotely controlled server. Specifically, they tried to steal IMEI and IMSI numbers, used to identify mobile phones, model numbers and the user's language, ID and country.

Most alarmingly, the apps attempted to open a backdoor to the devices that could be used to download additional malware, researchers said.

The apps gave attackers “full access” to a device, said Vikram Thakur, Symantec principal security response manager.

Cybercriminals regularly package malware inside seemingly legitimate apps and release them in unofficial, third-party app stores, researchers said. This time the malicious apps made their way on to the official Android Market, which provided a much larger pool of potential victims.  

Veracode chief technology officer Chris Wysopalsaid similar attacks were likely unless Google more stringently policed the apps it allowed.

Google relied on users to flag apps as harmful or inappropriate. If an app violated Google's policies, it was removed from the market and the developer may be blocked.

Other mobile app store providers took a different approach. Microsoft, for example, mandated that apps and games in its Windows Phone Marketplace were tested and certified for quality and performance before being offered to consumers.

Wysopal said Google should adopt a similar model: “I believe the app stores should be vetting the apps with an approval process before allowing them in”.

But Lookout's Mahaffey said Google's process allowed for an “open, innovative app ecosystem” and should not be changed.

Malicious apps disguised as legitimate programs began turning up the Android Market a year ago.

This article originally appeared at scmagazineus.com