RSS

Search Engine

Monday, June 13, 2011

Google Pulls More Malware-Infected Apps From Android Market

Android Logo

Google has removed more apps from its Android Market due to malware, some of which appear to exploit the popularity of apps like Angry Birds.

Google removed 10 apps from the market pending investigation after they were discovered and reported by Xuxian Jiang, an assistant professor at NC State University's Department of Computer Science.

"While continuing an Android-related research project after the discovery of the DroidKungFu and YZHCSMS malware, my research team also came across a new stealthy Android spyware in the Official Android Market," Jiang said in a statement.

Known as Plankton, the spyware "does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar," Jiang wrote. "In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality."

There are at least 10 Plankton apps from three different developers, Jiang said. Their stealth nature has enabled them to remain undetected in the market for more than two months.

On Friday, Webroot analysts Andrew Brandt and Armando Orozco took a closer look at Plankton and found that it was focused on the popular game series Angry Birds. "Some of the samples we looked at came as Android apps with names like Angry Birds Rio Unlocker v1.0, Angry Birds Multi User v1.00 or Angry Birds Cheater Trainer Helper V2.0," they wrote in a blog post.

When you install the offending apps, you'll see the following message: "Welcome! Simply click on the button below to unlock ALL levels in Angry Birds Rio. This will not delete your scores but might change the number of pineapples and bananas you have."

Of course, the apps do no such thing. "Instead, the malicious apps install additional code into the Android device into which they're installed," Webroot said. "These additional functions provide remote access and control of the Android device to, presumably, the distributor of the malicious apps, whose identity remains unknown at this time."

Luckily, the Plankton creators labeled their code very distinctly, making it easy to wipe from a phone, Webroot said. Unlike other malicious apps, Plankton appears to provide access to sensitive data on a phone like browser history, bookmarks, and homepage settings in the built-in Android browser. Other malware apps have worked to obtain root, or administrative, access to the operating system.

Webroot, however, said it is investigating a "command-and-control server, which sends back instructions for the app to download an additional Java .JAR file."

"Early reports from the university researchers indicate that the payloads are simply reworked versions of the remote access code embedded in the Trojan, modified so they're slightly harder to detect using existing antivirus signatures," the researchers said.

How do you protect yourself? Webroot suggested using a little common sense. "Does the app sound like what it promises to do is too good to be true? Does it ask for all kinds of permissions that it shouldn't need to fulfill its mission? Did you get it from the official Market or a legitimate app store such as Amazon, or from some random app collection? If you can answer yes to any (or all) of these questions, just don't install the app."

This is just the latest in a string of malware apps removed from the Android Market. Earlier this month, Google removed more than two dozen apps from the Android Market due to malware. It was identified by mobile security firm Lookout thanks to a tip from a developer who noticed that modified versions of his and other apps were being distributed in the Android Market.

In early March, Google remotely deleted a series of applications from users' phones due to malware known as DroidDream and released a security update to rectify the problem.

Unlike Apple, Google does not monitor its apps once they are in the Android Market, responding only to complaints.

"We don't generally go back and try to make sure that every app does what it says it's going to do. [Google is] really trying to maximize the ability of small app developers to get online," Alan Davidson, director of public policy at Google, said during a recent appearance on Capitol Hill.

0 comments:

Post a Comment