Over 50 applications found to contain malware were removed from the Android Market yesterday, after being downloaded approximately 50,000 times. The apps contained a type of malware called “DroidDream,” which was able to use exploit code to root (take administrative control over) the phones where it was installed and steal sensitive data from the devices. In addition, a second APK (an Android application file) was also found hidden inside the code, which could steal additional data.
Dozens of Malware Apps Discovered on Android Market
The malware was initially reported via the social news site Reddit, where it was later picked up by the blog Android Police. The blog had their “resident hacker” Justin Case further analyze the malware-infected applications for details. He found that the apps root the device after installation, which means they give the malware creator complete administrative control over the device. Although disguised as popular games and utilities, the infected apps actually enabled the creator to retrieve sensitive data from the phones. Case was able to confirm that the apps stole product ID, model, partner/provider, language, country and userID, but he also discovered that the additional, hidden app had the ability to download more code.
“There’s no way to know what the app does after it’s installed,” wrote Aaron Gringrich on Android Police, in reference to what that functionality could mean, “but the possibilities are endless.”
Over 50 Apps, Not 21, Found to be Infected
According to security firm Lookout, makers of a malware-prevention application for Android phones, the original report of 21 applications by Reddit and Android Police was somewhat incomplete. To date, more than 50 applications have been found to be infected with this new malware called DroidDream, it reported.
After analyzing the 21 apps reported by Reddit user Lompolo, the firm found a large number of applications from other developers that also contained the same malware. Lookout shared its findings with Google and are now reporting that the apps have been pulled from the Android Market.
However, Google has not yet activated its remote removal system to wipe the malware-laden apps off of end users’ devices, says Lookout. That means that many of the estimated 50,000 to 200,000 installations of these apps are still out there on users’ phones. Lookout notes that it has also updated its security software programs via an over-the-air update to remove all known instances of DroidDream and has implemented a specific signature that should block other variants of these apps in the future.
What Were the Malware Apps?
According to Lookout, the following application publishers and apps were found to contain the malware (see below). You’ll note that many of the application names are similar to other popular and more well-known Android applications.
Full list of infected applications published by “Myournet”:
- Falling Down
- Super Guitar Solo
- Super History Eraser
- Photo Editor
- Super Ringtone Maker
- Super Sex Positions
- Hot Sexy Videos
- Chess
- ????_Falldown
- Hilton Sex Sound
- Screaming Sexy Japanese Girls
- Falling Ball Dodge
- Scientific Calculator
- Dice Roller
- ????
- Advanced Currency Converter
- App Uninstaller
- ????_PewPew
- Funny Paint
- Spider Man
- ???
Full list of infected applications published by “Kingmall2010?:
- Bowling Time
- Advanced Barcode Scanner
- Supre Bluetooth Transfer
- Task Killer Pro
- Music Box
- Sexy Girls: Japanese
- Sexy Legs
- Advanced File Manager
- Magic Strobe Light
- ??????
- ????Panzer Panic
- ????Mr. Runner
- ??????
- Advanced App to SD
- Super Stopwatch & Timer
- Advanced Compass Leveler
- Best password safe
- ???
- ????
Full list of infected apps under the developer name “we20090202?:
- Finger Race
- Piano
- Bubble Shoot
- Advanced Sound Manager
- Magic Hypnotic Spiral
- Funny Face
- Color Blindness Test
- Tie a Tie
- Quick Notes
- Basketball Shot Now
- Quick Delete Contacts
- Omok Five in a Row
- Super Sexy Ringtones
- ?????
- ?????
- ????
Questions About Google’s Response Time and Reporting Resources
On the one hand, Google acted quickly after Case reached out to a contact at Google about the apps in question. In less than five minutes after his report, the apps were pulled from the Market. Unfortunately, an application developer attempting to reach out to Google through more official channels had worse luck.
According to reddit user codingcaveman, the developer of Guitar Solo Lite, whose app was ripped off as “Super Guitar Solo” by the malware creator, he had reached out to Google about this same issue over a week ago. “I notified Google about this through all the channels I could think of: DCMA notice, malicious app reporting, Android Market Help…they have yet to respond,” he wrote.
This raises concerns that Google’s mechanisms for protecting Android users from threats such as these simply aren’t good enough at the present time. While it’s commendable that Google jumped quickly when a personal contact of Case’s was notified of the threat, the official channels should be just as responsive – especially if the developer doing the reporting is one whose own business is being directly affected by the malware’s continued existence.
The takeaway from this incident for Android end users is this: you can’t trust that any given application is safe. Read the permissions before installing apps, and if you can’t be bothered with that, use an additional security program from a firm like Lookout or one of its competitors instead.
Image credits & sources: Lookout, Android Police, Reddit
