Malware in Android Market highlights Google's vulnerability

[nsane.forums]

Google has removed 21 applications from the Android Market after it was discovered that the apps secretly installed malware. The applications themselves included pirated and renamed versions of legitimate Android software that had been modified to include the malware and then offered for free on the Market. Together, the 21 programs received more than 50,000 downloads over the course of about four days.

The malicious applications sent personal details, including the phone's unique IMEI number, to a US-based server. Worse, it exploited security flaws to root the phone, and installed a backdoor application that allows further software to be installed to the handsets. Though Google has now purged the applications from the Market, the rooting and backdoor mean that the anyone who has run one of the malicious programs should reset their phone to stock conditions to clean it up. The flaw used to root the operating system was fixed in Android 2.2.2 and 2.3, so users of those versions should be able to get away with simply removing the applications. The programs were all (re)published by an entity named Myournet; it too has now been removed from the Market.

A full list of the 21 programs can be found at Android Police, who originally reported the issue, after the republished applications were spotted by redditor lompolo. lompolo investigated the applications after noticing that one of them did not have the publisher he expected; he posted his findings to reddit after noticing that one of the applications appeared to contain exploit code.

Similar malware, dubbed "DreamDroid" has been found in even more applications, with applications from publishers named Kingmall2010 and we20090202 also removed. In total, more than 50 programs have been pulled.

This attack is notable in that it combines a wide range of smartphone issues all into one neatly packaged exploit: we have the lack of governance of the Android Market, the piracy and re-publication that is distressingly common on mobile platforms, the security flaws that allow rooting, and Android's inconsistent updating which leaves machines at risk of security flaws.

Google's Android Market is a free-for-all: unlike Apple's App Store and Microsoft's Marketplace, which both have strict eligibility requirements and mandate that programs are restricted only to a limited set of APIs, in the Android Market essentially anything goes. Google can remove applications that are found to be actively harmful, as it has done here, but this action tends to be reactive, not proactive. The Android Market Developer Agreement does prohibit this kind of application in section 4.4, but Google obviously took no steps to ensure that applications abided by this rule prior to publication.

Apple's strictly regulated store is criticised by many for its inconsistent rule enforcement and the apparently arbitrary decisions made by the those inspecting its applications. This regulation is by no means flawless—the Handy Light flashlight application contained a backdoor to allow iPhones to be tethered, showing that it can indeed be tricked—but it should nonetheless impede similar attacks on that platform. Microsoft's gatekeeping of the Windows Phone 7 Marketplace should similarly serve to stand in the way of such malicious applications. Incidents like this serve to vindicate the approach Microsoft and Apple have both taken to their application stores, and repeat performances could make users increasingly wary of the Android Market.

Application piracy is again an issue found on Apple's platform as well as Google's. Neither company earns much praise for their responses to piracy allegations: though both maintain that they will remove applications that infringe on the intellectual property of others, in practice their responses are slow and inconsistent. One of the developers whose game had been ripped off informed Google of this more than a week before the program was eventually removed—due to its malware—without receiving any response from Google.

Perhaps it is fortunate that that software was pirated, however, as it was this piracy that led to lompolo's closer inspection. Had it not piqued his curiosity, it may have lingered on the Market for weeks or months, quietly infecting users all the while.

The desirability of rooting handsets is also a continued problem. Rooting, to enable custom software and operating system builds to be installed to a device, is a widespread (albeit minority) activity among both iPhone and Android users. It creates an unusual alignment of interests—an exploit that can be used to root a phone is sought by both "good guys" (who just want to install custom firmware) and "bad guys" (who want to install nefarious malware). While the root flaw in this case was already patched, that patch is not widely distributed. This is due to Google's enormous dependence on handset OEMs and mobile networks to package and distribute firmware updates. Even security-conscious users who would like to upgrade to a fixed version can find themselves unable to do so for many months—if ever—due to unavailability of a suitable patch for their particular phone.

Apple, with its vertically integrated approach, has a much more robust response to such issues, as it can publish updates for all users of supported models, regardless of their network, simultaneously. If Microsoft can get the unfortunate teething difficulties in the Windows Phone 7 update process resolved, it too should have a considerable ability to deploy updates.

Android is now a major smartphone platform, estimated to be outselling the iPhone. For many, its openness and flexibility is a virtue, but it comes at a cost: it leaves the platform unusually susceptible to attack. And those attacks will come: just as popularity has made Windows an attractive target, so too will the black hats be drawn to Android. This will place Google in an increasingly uncomfortable position; locking down the platform may be appealing to most users, but it would infuriate and alienate the early adopters and trend-setters who championed the operating system in its early days. However, leaving it a free-for-all could make Android the Windows 98 of smartphone systems: virus-ridden and unsafe.

View: Original Article