Developer banned, malicious apps automatically removed from users' infected phones, exploits patched

Android Market

Google late Saturday night publicly revealed the action it has taken in the wake of a number of malicious applications that were lurking not so quietly in the Android Market. As you'll recall, some 21 apps from a single developer were found to be collecting and sending device IDs (IMEI codes) and Android versions, but the exploit left users open to worse attacks. Here's the short version of what Google's done since being alerted March 1:

  • The apps were removed from the Market, developer accounts banned and law enforcement notified.
  • Google is remotely removing the malicious applications from infected phones. (That's a feature Google has its disposal, and has used in the past.)
  • Google is pushing an update to undo the security exploits that allowed these malicious apps to work in the first place.
  • Google is "adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market."

A couple things to note here: If you are running Android 2.2.2 or higher, you don't have these security vulnerabilities. If you were affected, you'll be getting an e-mail from Google (android-market-support@google.com) explaining things, and you'll be getting an Android Market Security Tool 2011 app to patch the exploits.

So the barn door's been closed, folks. Google says it's taking additional steps to keep this sort of thing from happening again. That's not to say it won't happen -- by nature, attacks will continue. But good on Google for explaining exactly what happened, and what's being done in the aftermath. [Google Mobile Blog]

 

Reader comments

Google tells of steps taken in wake of spate of malicious apps

23 Comments

Am thinking for all of us on are Epics with 2.2.1 we might be at some risk but if you pay attention to what your installing you should be ok...

There are 2 significant issues around the android platform that should be noted here and just for the record, I am an android user on multiple hardware platforms. The first is that waiting for the platform manufacturer (Say Motorola) and carrier (Say Verizon) to make significant changes to stock builds before rollout delays critical fixes made in updated Android builds. The second is that it's incumbent upon Google to more thoroughly review applications before they are allowed in the marketplace. Users need to have some assurance that if they follow the rules and only obtain apps from a credible source, they will be reasonably secure. Even though Google was very responsive in removing the malicious apps, there are no doubt many more apps in the marketplace as malicious. These are 2 significant issues that google will need to overcome in the near future to sure up their ecosystem and they probably know it....

Good job...
Did I give you permission to automatically remove stuff?
I understand the reason. Shouldn't Google have asked?
What would apple do?
Did I give permission?

So, I take it with you they're damned if they do and damned if they don't. Google took immediate action upon discovering these malicious apps and, in order to protect users of their Android OS, they removed the applications. I think what they did was prudent. Apple would have done the same thing. The difference would have been that they'd have to wait for the user to connect their iDevice to iTunes for the magic to happen. With Google it all happens automagically over the air.

yes, by using an android device you consent to several acts by google, including use of their "Remote Kill" tools.

It's the Windows situation all over again and it's only going to continue. It's nice that Google reacted appropriately with these measures, but there was nothing in place to prevent this from happening and that leads me to believe nothing is in place to prevent the next new exploit. Seems to me Google will always be reacting to these incidents once they are discovered. In the meantime, Android users are OPEN to the next exploit. In my opinion, I don't think mobile users are going to be as tolerant as Windows PC users were when it comes to exploits on their devices. The Android OS will suffer as a result.

Just like there are free and paid antivirus solutions for Windows, there are free and paid antivirus solutions for Android. The potential for viruses has been there for every phone OS. This is not a problem unique to Android.

Did anyone of the available antivirus apps detect these malicious appa? Any of them?

Are we even talking about viruses here?

Treknologist I think you're missing the point. It's not in the solution but preventing it from happening in the first place. Our mobiles are truly "PERSONAL" computing devices. They're with us all the time. We miss them when they're not there, and reach out for them in a moment's notice. We're connected to them in a way that the desktop or laptop never achieved. They're filled with information that accumulate with each passing moment. This is information we value and want protected. The moment you start talking about anti virus software, the battle has already been lost. We all should want and demand better security. If it proves elusive with Android, then we have a decision to make.

I have to agree with Jamaicanbob. Android is going the route of PC Windows. I'm not going to install an antivirus on my phone (free or paid). I'm already fed up with that "security" crapware robbing my PCs of good performance and if it weren't for work reasons, I wouldn't be using Windows at all. Just like Linux and MacOS users don't HAVE TO run anti-malware software, if Google doesn't get proactive with these issues, I'm going to jump ship to a mobile platform where anti-malware software is not a necessity, and recommend everybody around me to do the same.

Ah, I hate to break this to but Android Is linux.

So that kind of shoots down your entire line of argument.

And for the record, we aren't discussing a virus that crept onto your phone from an email. It was installed by the user. The user gave it permission to access the net.

For the record, we aren't discussing a virus that crept into phones by users going to some sketchy warez site to download apps. These were apps found in what is supposed to be the first go-to source to discover new apps and new developers, the Android Market.

As for the "Android is Linux" thing, at least in PC Linux you do get the option, heck it's your duty, to choose a root password and then allow/disallow root access to programs that request it by typing said password. PC Linux doesn't lock you out of your system by not letting you set root access by normal means, so rooting exploits need to be used.

Rootkits are used to hack desktop linux, which is basically what the exploit was that was used in the apps. The security vulnerabilities that exist in desktop linux are, for the most part, still present in Android - it goes both ways. Hence why Clam AV exists for linux (among other AV programs for linux). All a virus is, is just an automated hack - a code that waits on a host and unloads itself on the target system. For anyone that thinks there is even one safe OS out there, I would love to see it. OSX has had virus' in the past, linux has had them too in the form of a rootkit since you need to operate as root in order to alter the system in that manner. Windows, well...

So far the Blackberry OS is the only one that I've yet to see hacked in a manner that would qualify as a 'virus'. They've only been hacked using active 'hacker present' methods - not 'fire and forget' methods like a virus.

"•Google is pushing an update to undo the security exploits that allowed these malicious apps to work in the first place."

So this means rooted devices will get un-rooted? This is good for those users who did not root their phones and were compromised by the malicious apps, but what about those users who have rooted their devices on their own? Phones rooted through exploits like those used by the malicious apps might become un-rooted, and non-rootable again... until new exploits are found, then we're back to square 1...

You are reading too much into that.

It never said anything about root, and these apps didn't require root. They used the rageagainstthecage exploit. That's not the only way to achieve root.

The apps did not require a rooted device -- they were capable of rooting an unrooted device using rageagainstthecage to do their thing.

So I'm assuming that the exploit lies deep in the phone's system files. If thats the case, and Google can just release an app that will work that deep down and fix it all up, then why can't we get OS updates through that method?

Yeah, sure, devices are all different and the manufacturer is pretty much the only one's that can make each version work 100% with their devices, but what about small updates? For example, the messaging app bug?

Furthermore, this method of updating and patching things bypasses the carrier almost completely unless you're updating sans-wifi. And we all know that the carriers are responsible for like 60% of Android-related headaches (Bloatware, some responsibility over OS updates).