Google has used its remote kill-switch powers to delete malware from affected Android handsets following the uploading of around 50 Trojanized apps to the Android market last week.
The plan of attack was outlined in a post on Google's Mobile Blog:
- We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
- We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
- We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from firstname.lastname@example.org over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
- We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
We also get information on the malware:
The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher. For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).
Can Google legally remotely delete apps? Sure it can. It's built right into the Android Marketplace ToS:
2.4 From time to time, Google may discover a Product on the Market that violates the Android Market Developer Distribution Agreement or other legal agreements, laws, regulations or policies. You agree that in such an instance Google retains the right to remotely remove those applications from your Device at its sole discretion and without notice to you.
Google claims that the offending malware was removed from the Android Market 'within minutes,' but as a comment on Google's Mobile Blog by PucKo points out, things weren't as straightforward as that:
This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.
According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.
I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.
This is the second time that Google has remote deleted apps from user's handsets. In June of last year it used the same powers to delete two free apps created by a security researcher.