Google flips on death-ray, nukes Android malware ... but is it enough?

Google flips on death-ray, nukes Android malware ... but is it enough?

Summary: Google has used its remote kill-switch powers to delete malware from affected Android handsets following the uploading of around 50 Trojanized apps to the Android market last week.

SHARE:
TOPICS: Security, Google, Malware
17

Google has used its remote kill-switch powers to delete malware from affected Android handsets following the uploading of around 50 Trojanized apps to the Android market last week.

The plan of attack was outlined in a post on Google's Mobile Blog:

  1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
  2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
  3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
  4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

We also get information on the malware:

The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher. For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).

Can Google legally remotely delete apps? Sure it can. It's built right into the Android Marketplace ToS:

2.4 From time to time, Google may discover a Product on the Market that violates the Android Market Developer Distribution Agreement or other legal agreements, laws, regulations or policies. You agree that in such an instance Google retains the right to remotely remove those applications from your Device at its sole discretion and without notice to you.

Google claims that the offending malware was removed from the Android Market 'within minutes,' but as a comment on Google's Mobile Blog by PucKo points out, things weren't as straightforward as that:

This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.

According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.

I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.

This is the second time that Google has remote deleted apps from user's handsets. In June of last year it used the same powers to delete two free apps created by a security researcher.

Topics: Security, Google, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Lessons learned.

    Google need to tighten up their vetting process.<br><br>If that means developers experience delays in getting their apps approved, so be it.<br><br>I am willing to wait provided that Google exercises due diligence in validating source code reaching the market.<br><br>There is no other way. Grunt through code review by humans takes time.

    P.S.
    I've been waiting for a 'complete' explanation for how such malware reached the Market. What has been written thus far by Google does not go into detail as to how the breach on the site (mechanism) was accomplished.

    It would be good for all to know 'exactly' what happened.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      @Dietrich T. Schmitz, so basically be more like Apple. But what about all the loss of freedom that Android advocates keep harping on with all this "control?" Interesting. Just goes to show that Apple Control is just another talking point for Apple detractors. The lack of curatorship in the Android ecosystem is the worst thing about it in my opinion.
      CowLauncher
      • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

        :P
        www.awwgame.com
        lariosshow
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      :)hey
      www.awwgame.com
      lariosshow
  • Android is malware!

    The fact is that Android is a trojan horse designed to spy on its users and accumulate their personal information for Google. That is the bottom line.
    jorjitop
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      @jorjitop

      Yeah... but they are only watching you because I'm too boring.
      Oregoner
  • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

    Just out of curiosity, what is to keep some third world despot from figuring out how to turn on this "Android Death Ray" in order quell the rebellious masses? For instance, much has been made about twitter's role in these rebellions, flip a switch no more twitter apps on Android phones. Could it happen?
    YaBaby
    • Hmmmmm.....

      @YaBaby
      I think you've just hatched a new movie plot!
      Userama
  • Question:

    Were any of the apps that were nuked pay apps? If so, does Google refund the price?
    Userama
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      @Userama That's pretty funny. So if I am duped into paying for a virus, Google should pay me for deleting it from my phone? Normally one has to pay an IT guy to delete malware.
      dimonic
  • It's the PC Virus thing all over again!

    Android Virus / malware checkers will be soon sold one-line. A new market is emerging. Is Google/Android the new MS? Will malware attracts be the new norm? PC / WinDos users must love this stuff.

    Good report Adrian
    MacNewton
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      AVG has an app listed:)
      bill_wtsn@...
    • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

      @MacNewton

      Hmmm I think you're a little late.

      Check out lookout for android and AVG for android.

      Both have a 'free' and 'pay' version...

      Also the amount of viruses and exploits is very closely correlated with market share. So yes, PCs are popular, virus makers focus on that. Android is quickly getting more and more market shares thus you will end up seeing more and more of these.
      tchopard
  • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

    Regarding the notification process, you should probably do some actual research and fact checking, rather than quoting unsubstantiated blog posts as gospel.

    It is certainly true that at least one developer of one of the apps that was cloned hadnotified Google of the fact through the normal developer channels for such things.

    There is a process for complaints of this nature where Google verifies who the aggrieved party actually is and if the claim is valid they remove the offending app. Devs have indeed complained in the past that this process is slower than it should be.

    However, it should be noted that at this point it was not a notification of a security issue and it was not made to the Android security response team.

    Far from contacting an insider being the only way to get action on this, my understanding is that the folks who discovered the actual security issue notified Google through the correct process, which is documented here:
    http://developer.android.com/guide/appendix/faq/security.html#issue

    There is certainly an argument that the two processes should be connected at some level, as a ripped off popular app is a likely candidate for malware.
    davros62
  • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

    Please tell me how to do it!!!!!!
    res0jpbj@...
  • RE: Google flips on death-ray, nukes Android malware ... but is it enough?

    The fundamental weakness of Android is the refusal to allow owners full control of products they have purchased at great expense to themselves.

    This natural injustice results in a blind eye being turned to the root kits which allow the owners to obtain control of their machines and in some cases obtain updates otherwise denied by them. Unfortunately the lax attitude also leaves an opportunity for malware...

    The sooner Google, the device manufactures and the phone companies realize that the devices are effectively portable personal computers and stop holding the purchasers to ransom the better it will be for everyone.
    worcesterberry
  • Google/Android FAIL

    Apple has proven with their app-vetting system that you can't get malware/trojans into iOS. There has yet to be ONE case!
    MSFTWorshipper