Is the sky falling in on Google's Android Market? It was marketing 21 Trojans apps yesterday. Google didn't react to developers' complaints until the issue got popular on Reddit. Could it happen on the iOS App Store, or is Apple's lockdown too tight?By Richi Jennings. March 2, 2011.
Google has pulled 21 rogue apps from the Android Market, because they contained malware. The Trojans would get root, transmit sensitive data, and download who-knows-what additional code. The Android marketplace is much more of a free-for-all than Apple's iOS App Store, which has its pros and cons. In IT Blogwatch, bloggers wonder what took Google so long.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Fire Drill: In the A320 simulator with Captain Dave...
Dean Takahashi summarizes the summary of the summary:
Apps released by developers under the names Kingmall2010?, we20090202?, and Myournet contain ... malware and have been pulled from the Android Market. ... The apps reportedly could compromise a users personal data. ... .
...The malware attack shows that Androids big advantage ... openness that gives it an edge over Apple ... is also Androids biggest disadvantage. ... While Apple screens its apps, Google allows just about anybody to upload apps into the Android Market.
The pseudononymous lompolo sounded the alarm last night:
Someone just ripped off 21 popular free apps from the market, injected root exploits into them and republished. ... I just randomly stumbled into one of the apps, recognized it. ... The apps seem to be at least posting the IMEI and IMSI codes to [link redacted] which seems to be located in Fremont, CA. ... The apps are also installing another embedded app.
I just received a reply to an e-mail I sent out to one of the developers affected: ... "I have been trying for more than a week now to get Google to do something about it ... through every avenue I could think of, but haven't had a response yet."
...Some sort of moderation, or at least quicker reaction to malware complaints would be nice.
Aand Aaron Gingrich and Justin Case analyze the code:
It does indeed root the users device via rageagainstthecage or exploid. But ... it does more than just yank IMEI and IMSI ... it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But ... the true pièce de résistance is that it has the ability to download more code ... the possibilities are nearly endless.
They've been pulled ... as well as remotely removing them from users devices. Unfortunately, that doesnt remove any code thats already been backdoored in. ... This is the ultimate Android Trojan to date, and its already been downloaded over 50,000 times.
...The [list of] offending apps: ...
But Jolie O'Dell has radical advice:
If youve downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you cant be sure that your device and user information is truly secure. Considering how much we do on our phones shopping and mobile banking included its better to take precautions..
Jon Norris broadens his outlook:
This misadventure also highlights another reason why the Android Market isnt raking in nearly as much cash as the iOS App Store the ease of piracy. ... A lot of criticism is levelled at Apple for their App Store submission policies, but you certainly wouldnt ever see this happening on their watch.
...[This] has become such an issue on Android that Google announced not long ago it had an actual team of humans actively scouring the App Market. ... Why this specialist team didnt identify these nefarious Apps ... remains a mystery.
Meanwhile, Darlene Storm has tips on how Android users can protect themselves:
The trick is to pay attention while the app is installing, since the malicious app will ask for excessive permissions. ... Hackers tweaking legitimate apps to carry Trojans is not a new idea and smartphones will continue to be targeted for mobile malware.
Don't miss out on IT Blogwatch:
|Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: firstname.lastname@example.org.|
You can also read Richi's full profile and disclosure of his industry affiliations.