Dozens of malicious apps pulled from Android Market

Share this article:

Google has removed dozens of apps from its Android Market after discovering they contained malware that could compromise users' personal data.

More than 50 apps were found to be infected with malware capable of gaining root access to a device, harvesting data and installing additional malicious code, computer security researchers said Wednesday. Before being pulled from the marketplace, the malicious apps were downloaded by at least 50,000 Android users within a four-day period.

A Google spokesman declined comment to SCMagazineUS.com on Wednesday.

All of the malicious apps were pirated versions of popular legitimate apps that cybercriminals bundled with malware and republished in the Android Market under different application and publisher names. The apps were posed by the publishers with handles “Kingmall2010,” “we20090202,” and “Myournet,” all of whom have been suspended.

The first batch of 21 malicious apps, which came from the publisher Myournet, was discovered by a user of the news aggregation site Reddit. Following initial reports, researchers at mobile security provider Lookout discovered a second lot that was posted by Kingmall2010 and alerted Google, Kevin Mahaffey, CTO at Lookout, told SCMagazineUS.com on Wednesday. Google then discovered a third set that was posted by we20090202.

Google removed the malicious apps within minutes of being notified, Mahaffey said.

“It's impressive how quickly they responded to these issues,” he said.

Even though the apps were posted from different developer accounts, the way the malware was packaged indicates that they all came from the same person, Mahaffey said.

Once downloaded, the apps attempted to root a device using common exploit tools, such as “rageagainstthecage” or “exploid.”

These tools often are used by hobbyists to jailbreak or root their Android phones, Mahaffey said.

The apps then attempted to send data from the phone to a remotely controlled server. Specifically, they tried to steal IMEI and IMSI numbers, used to identify mobile phones, as well as model numbers and the user's language, ID and country.

Most alarmingly, the apps attempted to open a backdoor to the devices that could be used to download additional malware, researchers said.

The apps gave attackers “full access” to a device, Vikram Thakur, principal security response manager with Symantec, told SCMagazineUS.com on Wednesday.

Cybercriminals regularly package malware inside seemingly legitimate apps and release them in unofficial, third-party app stores, researchers said. This time, however, the malicious apps made their way onto the official Android Market, which provided a much larger pool of potential victims.  

Chris Wysopal, CTO of application security firm Veracode, told SCMagazineUS.com on Wednesday that similar attacks are likely unless Google begins to more stringently police the apps allowed in its store.

Google currently uses a community-enforced security model, whereby users can flag apps as harmful or inappropriate. If an app is in violation of the search giant's policies, it will be removed from the market and the developer may be blocked.

Other mobile app store providers take a different approach. Microsoft, for example, mandates that all apps and games available in its Windows Phone Marketplace are tested and certified for quality and performance before being made available to consumers.

Wysopal said he believes Google should adopt a similar model. 

“I believe the app stores should be vetting the apps with an approval process before allowing them in,” he said.

Lookout's Mahaffey, however, said he believes Google's current process allows for an “open, innovative app ecosystem” and should not be changed.

Malicious apps disguised as legitimate programs began turning up the Android Market a year ago, and other instances followed.

Share this article:

Sign up to our newsletters

More in News

Report: SQL injection a pervasive threat, behavioral analysis needed

Report: SQL injection a pervasive threat, behavioral analysis ...

Long lag times between detection and resolution and reliance on traditional methods impair an organization's ability to combat SQL injection attacks.

WhatsApp bug allows for interception of shared locations

Researchers identified a vulnerability in WhatsApp that could enable an attacker to intercept shared locations using a man-in-the-middle attack, or a rogue access point.

Google tweaks its terms of service for clarity on Gmail scanning

The company is currently dealing with a lawsuit that challenges its email scanning practices.