Android malicious apps: Google flicks kill-switch

But questions remain over underlying security of Android platform...
Written by Natasha Lomas, Contributor

But questions remain over underlying security of Android platform...

Google removes malicious Android apps

Google has confirmed it removed "a number" of malicious Android apps last week
Photo: Natasha Lomas/silicon.com

Google has finally confirmed it used a remote security tool to remove several malicious Android applications that had been published to its app store and downloaded by users of Android hardware.

Unlike Apple's iOS App Store and other smartphone app marketplaces, Google's Android Market does not vet applications by requiring developers to submit software for approval before it is published. App makers for Google's mobile platform merely have to pay a small fee to register as a developer and sign their app using a certificate or key before they can upload it directly to the Android Market.

The absence of a third-party approval process for Android Market has been identified as a potential security hole in the platform. "Prevention is always better than cure - so there's no doubt that vetting apps is going to be a stronger defence than cleaning up the malware mess later," Graham Cluley, senior technology consultant at Sophos, told silicon.com.

"Of course, vetting doesn't necessarily mean that all malware will be stopped at that point - but it does mean that apps need to go through an additional check," he added.

Writing in a blog post, Rich Cannings, Android security lead at Google, said Google's Android team was made aware of the malicious apps' existence on the evening of 1 March. "Within minutes of becoming aware, we identified and removed the malicious applications," he wrote.

According to Cannings, the apps exploited known vulnerabilities in the Android platform that affect versions 1.5, 1.6, 2.0/2.1 - Cupcake, Donut and Éclair - but not versions 2.2.2 – Froyo - or higher. Google believes the dodgy apps only harvested certain device-specific data: the unique IMEI/IMSI codes used to identify mobile devices, and the version of Android running on the device.

But Cannings added that "the nature of the exploits" meant the attackers had the ability to access other data. It was this risk that spurred Google to deploy its security tool to remove the offending apps, said Canning, thereby preventing the attackers from accessing any more data from the affected devices. Google has also suspended the developer accounts associated with the malicious apps, and contacted police about the attack.

Users who have downloaded the malicious apps will have received an email notification from Google stating that its Android Market Security Tool update has been pushed to their device, and may also receive email notification to confirm the malicious apps have been removed, according to the blog post. Only affected users will receive the update and they will not be required to do anything to remove the malicious apps themselves.

However, Google has also provided troubleshooting tips for its Android Market Security Tool - suggesting it is possible for the update to fail to install correctly. In that instance, users are given a variety of troubleshooting options to try.

Even though Google can fix the compromised smartphones by using its remote security tools, Sophos' Cluley noted it cannot patch the underlying security hole the apps exploited without relying on the co-operation of the various third parties in its Android ecosystem - and that means the platform remains vulnerable.

"Unfortunately, although Google can fix affected smartphones, it can't patch the security hole that allowed the malware to cause problems in the first place," he said. "It's up to the [operators] and smartphone manufacturers to send out the update to devices that may be vulnerable."

"That's a lot different from Apple, who can roll out a security update centrally via iTunes if a security problem emerges," Cluley added.

Google has not responded to a number of questions from silicon.com about the security issue. But Cannings' blog post added: "We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues."

Sophos' Cluley said he predicts this won't be the last time malware authors target the Android platform. "As the devices become more popular, they will become an irresistible target for cybercriminals," he added.

Editorial standards