Google has acknowledged the issue of malware hidden in app files by a developer and is taking the extraordinary step of reaching out to infected handsets and deleting the files.
Earlier this week, Android Police (a site, not a paramilitary group) posted a story exposing 21 applications from one developer in the Android Market which contained a known Android exploit to gain access to an Android device. Originally discovered by Reddit user lompolo, the apps use an exploit known as “rageagainstthecage” which was discovered in August (very technical breakdown) to create the DroidDream.a malware.
The vulnerability was fixed months ago in the Android 2.2.2 release, but because Android’s model doesn’t entice carriers or manufacturers to continue updating after a sale (and most Android phones are locked to prevent users from doing so), almost no Android devices are protected.
Within minutes of hearing of the apps, Google GOOG had removed the applications. However, Android Police estimated that the applications in question had been downloaded at least 50,000 times.
Google believes that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data.
The Android team has taken the following actions:
Removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
Remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
Pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from email@example.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
Adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
A few notables in that list. One, Google has contacted law enforcement. As far as I know, this is the first time that Google has gone to the authorities about a hacker in the Market. Also, Google is going to use the remote kill switch, a controversial tool in which mobile phone manufacturers can remove applications from a device without user intervention. Apple AAPL, Microsoft MSFT and RIM RIMM all have remote kill switches in their arsenal to fight these type of apps.
The kill switch process in itself is controversial because it can’t be stopped by the user (other than staying out of cell phone data range). Amazon(AMZN) sparked considerable controversy recently when it yanked some books off of users’ Kindles without warning because of copyright claims.
I don’t see users becoming upset over this issue, however. The apps in question are relatively low quality and the exploit, while so far has been relatively benign, could become much worse.
Finally, it appears Google is placing more controls on its Android market to prevent further exploits.
It is baffling to me that an app like this was able to make it to the market in the first place and hopefully measures are put in place so that ones like it can’t repeat in the future.