Trojan found in Android Market

Malicious files once again have found their way into the Android Market, with a set of applications being hijacked, reverse engineered with malicious code injected, and published alongside the legitimate applications.

Two thing need mention up front -- Google has already removed the apps from the Market, and this time around they only affected users in China, where they also originate from.  If you're reading this story, you probably are safe and never were at risk.  But this is still a big concern.  A set of bad guys (that's my safe-for-work version) were able to de-compile apps from a legit developer, put in some code that sends SMS messages to a Chinese subscription service, and then took some really ingenious steps to keep everything hidden from the user.  That's going to happen, because everything that's electronic and popular enough is a target.  The part that is concerning is that these are making their way into the Android Market.

Allow me to have a few hundred words with you about it, after the break.

Source: AegisLabs via Sophos; Thanks, Tony Bag o' Donuts!

I'm torn.  As a user and on a personal level I say leave everything open, and force users to be diligent and only install apps they trust, regardless of where they come from.  Learn what the permissions are, and why an app may or may not need them (i.e. Adobe Reader).  But as a blogger and (hopefully) respected Android authority, I have a responsibility to our readers to want what's best for them.  That's you guys.  Many of you are respected Android authorities in your own right, and have no problem discerning what's safe and what's not.  Many others aren't, and depend on Android Central and other Internet resources to offer good advice on how to stay safe.  This leaves me in a bit of a pickle.

While reading the various security publications about this one, I came across a really interesting idea from Vanja Svajcer at Sophos.  His idea is simple and easy to implement -- what we need is two sets of signing keys.  Applications that want or need to do things like send SMS messages, or play around with your contact list should have to use a set of verified keys tied to a legitimate developer account that's been approved by Google.  Let the fart apps and themes keep using user-generated keys -- don't force hobby developers to jump through any hoops for the people at Mountain View if they aren't going to be doing anything that could create a potential security issue.  But the moment an app wants to access your phone book or use your GMail authToken, check the signing key and verify it.  Keep the users safe, and they will stay happy.  Happy users buy more apps, and more Android products.  Rocket science it ain't.  Vanja hit the nail squarely on the head with this one -- what say ye, Google?

Anyhoo, this one's over and done.  If you're curious, here's a list of the affected applications.  Do take note that they all were promptly removed from the Market and only affected users with a Chinese locale and phone number.

  • iBook
  • iCartoon
  • LoveBaby
  • 3D Cube horror terrible
  • Sea Ball
  • iCalendar
  • iMatch
  • Shake Break
  • ShakeBanger
  • iMine
  • iGuide

We'll keep an eye on things, and let you know the next time it happens.  And there will be a next time -- the trade-off for being able to have kick-ass apps like Handcent is having apps that use the same functions and openness for things we would rather they didn't.  At this point, I'm going to have to suggest two things:

  1. Use a "virus" scanner.  Yes, I know there aren't any viruses for Android, but names sort of get stuck.  All the security issues so far have required the end-user to want to install them.  You won't get infected with anything just by using your phone.  There are several in the Market to choose from.  They all work, so check the features of each and make a choice.  Then be glad we have them to do the dirty work for us.
  2. Don't install any apps you shouldn't be.  Yes, it's tempting and we made it fairly easy with the Sideload Wonder Machine (but that was not my intent!).  Security bloggers aren't just blowing smoke when they warn you about this.  If you're capable, hit one of those pirate app forums and download a handful, then reverse engineer them and compare them against the official versions.  If you're not capable, just trust us.  About half of them have some serious differences in the code.  Stick with apps you trust.  Or stick to the Market -- if you do get stuck with a trojan Google will fix you up.  Not only do the developers deserve the few bucks they are asking for their hard work, you'll be safer in the end.
 
There are 19 comments

garfnodie says:

Android is Linux, and Linux already asks to verify if an app should be allowed to do something deemed possibly dangerous. Why did they remove that feature in the first place?

You're shown every permission before you install an app, and have to approve them before you can install. But nobody reads or understands them.

garfnodie says:

The permissions up front are like a EULA. They are there because they have to be, but need to be complimented with additional prompts and warnings when necessary.

Android is sadly suffering the same fate at MS Windows. I have faith though that Google, or other Dev's, will work out ways to fix this.

BlackHawkA4 says:

Ya. If an app has a weird permission for something it shouldn't... And those apps already sound suspect. I'm not buying anything that had a I before it. Lol.

I never get virus on my computer. It's all about the user.

pseudoelf says:

But what is weird?..... And why can't we chose to restrict access like Blackberry users can. Besides some of the descriptions are just too vague to clue one into what the permission means.... Case in point.."Read phone state" why...... What about it..... (usually so the app can pause for a phone call but it is vague.....) I would like to have the option to kill SMS capability for instance... I don't pay for texting (just GV) how can I be sure it'll use GV and not start getting me $0.20 a pop messages from my carrier.

Thank you, Jerry, for once again calling attention to this issue, in this and your previous post about this as well (the one about the malware that's able to remotely root your device). This is getting to the point where it's starting to scare me away from Android. I mean, as much as I like Android and am rooting for it as a platform, this sort of thing is just getting too scary to ignore. I'm not saying that Google should lock it down Apple-style (God forbid!), but they do need to do something to correct this, ASAP. Implementing Vanja Svajcer's solution with 2 sets of verified keys would be a good start.

darreno1 says:

Got news for you, there are NO 100% secure systems out there. There have been malicious apps in the Apple store as well. If you do your homework (which you should be doing anyway) it's highly unlikely you will get into problems. Google can always do better (same with Apple)true, but you can't expect them to always hold your hand.

I know there aren't any 100% secure systems out there, and I definitely don't need my hand held (had enough of that from Apple, thank you. LOL). I've seen how quickly iOS can be hacked by those with the right skills.
I do my homework on this stuff too; that's why I come here and other related sites to learn about this stuff (XDA Devs being one of my favorites). I know that every OS has its pros & cons, as I've owned BB, WinMo 6.5 (briefly), Android, and iOS devices (in that order).
My point (and I *think* Jerry's point too) is that if this sort of thing continues unchecked, a lot more people are going to end up getting burned like this, and it might create the perception among consumers (justified or not) that Android is buggy and full of malware. You and I know that's not really the case, but your average Joe Blow Android users (the vast majority) probably don't.
You might be surprised (or you might not) how many Android users I come across who don't even know that it's possible to update their device, or even which version they're running, let alone how to root it. Those are the users who are most susceptible to this stuff (who don't bother reading the permissions or EULA, as Jerry pointed out), and who need Google to do something about this, whether they realize it or not. Here's hoping that future updates e.g. Ice Cream Sandwich will resolve this.
Sorry for the long-winded diatribe...
PEACE

dazweeja says:

1. This wasn't a virus so there's no reason to think that Google's antivirus measures that they implemented following the last outbreak in the Market aren't effective.

2. Only install apps from trusted developers.

Problem solved.

patrixl says:

Who and what is a trusted developer? We in North America tend to distrust (rightly or wrongly) Chinese developers, but what about people in China? I'm sure there are trusted developers there too (hm, MIUI comes to mind, at least as far as we know they can be trusted and have a trusted ROM -- I know it's been tested with tcpdump to see if it sends anything surreptitious) . And Chinese need to know that too. And Japanese. And Europeans. And Canadians. And so on.

Heck even with my Japanese phone, I saw a 400¥ app called "DoubleTwist", and wasn't sure if it was the real DoubleTwist. Took a lot of digging and asking DoubleTwist themselves till they confirmed it was their own application, but never explained why I'd have to pay again (paid for AirSync on my Canadian phone) for an app that's free in the rest of the world, and moreover for fewer features. Never got an answer, but my point is that not everyone will dig and find out if a developer is legit or not, and often it's hard to tell.

Who is a trusted developer? Let's say I release a new app.. I'm a nobody (well not personally, I'm awesome and everyone loves me, but on the Android Market, nobody would know me if I had a new app). Basically you're saying no one should install my app. Or buy it. Or accept its permissions. Great!

Yet it does nothing malicious.

How do we solve this?

dazweeja says:

@Jerry, please provide reasons for telling people to install a virus scanner. Are you sure that it would have done anything in this case? I suggest that it wouldn't. There was no virus here, just an application designed to do something that legit applications also do but in this case the user wasn't informed. I won't be installing virus scanners on my phone, instead I'll be only installing apps from trusted developers.

I'd even go so far as to suggest that someone with a virus scanner would be more susceptible to this sort of malware because they'd be more willing to install risky apps thinking that the virus scanner will catch them.

The samples were provided to the one I use (not naming names) and the apps in question were found to contain malware.

As were all the droiddream ones.

And the "snake" trojan.

And the Russian sms subscription service trojan.

Fell free to draw your own conclusions.

UncleMike says:

I like the idea of using a different signing key for certain permissions, but what I would really like to see is the ability for the end user to grant or deny each permission on an app-by-app basis. On my old iDEN handsets, the user was prompted each time an unsigned app did something that required one of any number of permissions. Users were allowed to specify default responses for signed apps. This worked well with minimal annoyance.

I agree with dazweeja - users implementing any sort of security solution tend to become complacent, depending on their chosen solution to protect them. As with computers, the user is the first and last line of defense; if they aren't willing to understand and pay attention to what they're doing, they will always be easy targets.

Might it be possible to write an app, like Superuser, that would prompt when certain actions are attempted, and let the user allow or disallow the action, and set a default for future requests from the same app?

Mgamerz says:

I hate how virus scanners for android pick up superuser as a virus...
I don't want them to list that as a virus! I want it rooted. I don't install other APKs other than ones from xda.

srkmagnus says:

Thanks for a good read, Jerry. Very informative and makes me a bit more concerned considered I read an article last night posted in the forums about people capturing authorization tokens via an unsecured network for several google apps.

I will continue to grab apps from the market and keep an eye on the permissions being requested. There are several apps I have turned down even though the developers provided an explanation for why a certain permission is needed (internet access, location, phone identity). Being diligent should help people prevent unauthorized access and we'll have to rely on the community/google to expose tainted apps.

Naris says:

Why couldn't they do both for their customers? Maybe they can divide the marketplace into two different categories: Fully vetted and wide open. Kind of like the Editor's Choice thing they are planning, but with all apps. Have an option to filter out all non fully vetted apps and leave it on by default, and let people choose to take the risk.

^ This.

greasyspoon says:

And the above fix will be in android 2.6.1 available in your next handset after your next handset...

Xopher says:

I like the idea of signing keys. I also develop for BlackBerry and they use signing keys for accessing things like the address book, sms, internet, and so on.

It won't stop everything, but it will deter a few people, plus it lets Google track which app developers sign which apps, and they can turn off the keys if someone is being malicious.