— Android users beware: more than 50 apps in the official Android Market have been discovered containing malware that could have compromised sensitive and personal data. While Google has already yanked the apps from the Market, this first big infection highlights the inherent vulnerability of Android's openness to developers.
While apps that are available through Apple's App Store go through a screening process, Google has allowed developers to load up apps without any such hoops to pass through. There are currently more than 100,000 apps, games and widgets available through Android Market. With the domination of Android-based phones in the smart phone market and the recent debut of the Android Market website, the current system leaves open great temptation for further hacking.
Earlier this week, Symantec posted an analysis of "Android.Pjapps," a backdoor Trojan horse that Chinese hackers used to hijack the legit Steamy Windows app. The malware infiltrated a user's smart phone to send invisible text messages to premium rate numbers, that would then reward the hackers with a commission.
But this attack eclipsed these one-off instances that have popped up from time to time since Android debuted in 2008.
Lookout, a smart phone security company that monitors apps on Android, Blackberry and Windows Mobile, posted a list of the infected apps on its blog. The company pegged the culprit as the DroidDream malware, which snuck into apps released under developers "Kingmall2010," "we20090202," and "Myournet."
"DroidDream is packaged inside of seemingly legitimate applications posted to the Android Market in order to trick users into downloading it, a pattern we've seen in other instances of Android malware such as Geinimi and HongTouTou," said Lookout CTO Kevin Mahaffey. "Unlike previous instances of malware in the wild that were only available in geographically targeted alternative app markets, DroidDream was available in the official Android Market, indicating a growing need for mainstream consumers to be aware of the apps they download and to actively protect their smart phones."
Mahaffey's point is clearly made in the list of infected apps. While some apps have names that should already beg for some scrutiny before downloading —Super Sex Positions, Hot Sexy Videos, Hilton Sex Sound, Screaming Sexy Japanese Girls — others seem innocent enough on the surface: Photo Editor, Chess, App Uninstaller and Super Stopwatch & Timer.
One of the infected apps was disguised as a security program: Best password safe, found under developer "Kingmall2010."
Lookout credited Reddit user Lompolo for discovering the malware "after noticing that the developer of one of the malicious applications had posted pirated versions of legitimate apps under the developer name 'Myournet.'... Lompolo analyzed two suspicious applications and found that they contain exploit code that can break out of Android’s application security sandbox. A blogger at Android Police took a closer look at the malicious applications and verified that they do indeed contain exploit code that can root a user’s device as well code that can send sensitive information (IMEI and IMSI) from the phone to a remote server. Android Police also found that there is another APK hidden inside the code, which can steal additional sensitive data."
Lookout's 5 million users received an over-the-air update last night that includes protection from these apps, said spokeswoman Alicia diVittorio. She added, "This is the first major malware we've seen in the Android Market. The good news is that Google pulled all those developers from the Market."
But Google also has the ability to pull the apps remotely from devices, but has yet to do so, according to the Lookout blog, because the apps are "under active investigation."
Android does require users to approve application permissions before completing an app installation.