Google remotely killing Android malware
Google is now using a remote security tool to remove malicious applications from affected Android devices after a malware outbreak hit its official app store, the company announced over the weekend.
Early last week, it was discovered that more than 50 apps offered in Google's official Android Market were infected with malware, known as “DroidDream,” that is capable of gaining root access to a device, harvesting data and installing additional malicious code.
Google has since removed all the malicious apps from its app store and is issuing a security update to affected devices – called “Android Market Security Tool March 2011” – that will remove the exploits and prevent attackers from accessing any more information, the search giant said in a blog post Saturday from Android security lead Rich Cannings.
“This is, in effect, Google's ‘remote kill switch' – capable of forcibly removing offending apps from users' phones,” Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Monday.
Approximately 260,000 Android devices had one or more malicious apps installed, according to reports. A Google spokesman would not publicly provide a number.
But while Google's tool effectively eradicates the malware, it does not fix the underlying vulnerabilities that the malicious apps took advantage of, Cluley said.
The apps exploited known vulnerabilities, which have been fixed in Android 2.2.2 (Froyo) and higher, Google said. Those running older Android versions, such as 1.5 (Cupcake), 1.6 (Donut) and 2.0/2.1 (Éclair), may still be vulnerable to similar attacks, Cluley said.
“It is up to individual carriers and smartphone vendors to make sure that the patch is rolled out to users running older versions of Android,” he said. “There are so many devices running so many different flavors of Android, ensuring that all of them are kept up-to-date with security patches becomes a very serious problem.”
Google said it is working with its partners to provide a fix for the underlying security flaws. In the meantime, the company has suspended the developer accounts of those who posted the malicious apps and is contact with law enforcement.
Also, the search giant is adding additional, unspecified safeguards to prevent other malicious apps from being distributed in the Android Market.
Google said it believes the attackers were only able to gather certain device-specific information, including IMEI/IMSI numbers, unique codes that are used to identify mobile devices, and the version of Android running on the device.
“[But] given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application,” Google's Cannings wrote.