Google remotely killing Android malware

Share this article:

Google is now using a remote security tool to remove malicious applications from affected Android devices after a malware outbreak hit its official app store, the company announced over the weekend.

Early last week, it was discovered that more than 50 apps offered in Google's official Android Market were infected with malware, known as “DroidDream,” that is capable of gaining root access to a device, harvesting data and installing additional malicious code.

Google has since removed all the malicious apps from its app store and is issuing a security update to affected devices – called “Android Market Security Tool March 2011” – that will remove the exploits and prevent attackers from accessing any more information, the search giant said in a blog post Saturday from Android security lead Rich Cannings.

“This is, in effect, Google's ‘remote kill switch' – capable of forcibly removing offending apps from users' phones,” Graham Cluley, senior technology consultant at anti-virus firm Sophos, wrote in a blog post Monday.

Approximately 260,000 Android devices had one or more malicious apps installed, according to reports. A Google spokesman would not publicly provide a number.

But while Google's tool effectively eradicates the malware, it does not fix the underlying vulnerabilities that the malicious apps took advantage of, Cluley said.

The apps exploited known vulnerabilities, which have been fixed in Android 2.2.2 (Froyo) and higher, Google said. Those running older Android versions, such as 1.5 (Cupcake), 1.6 (Donut) and 2.0/2.1 (Éclair), may still be vulnerable to similar attacks, Cluley said.

“It is up to individual carriers and smartphone vendors to make sure that the patch is rolled out to users running older versions of Android,” he said. “There are so many devices running so many different flavors of Android, ensuring that all of them are kept up-to-date with security patches becomes a very serious problem.”

Google said it is working with its partners to provide a fix for the underlying security flaws. In the meantime, the company has suspended the developer accounts of those who posted the malicious apps and is contact with law enforcement.

Also, the search giant is adding additional, unspecified safeguards to prevent other malicious apps from being distributed in the Android Market.

Google said it believes the attackers were only able to gather certain device-specific information, including IMEI/IMSI numbers, unique codes that are used to identify mobile devices, and the version of Android running on the device.

“[But] given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application,” Google's Cannings wrote.

Share this article:

Sign up to our newsletters

More in News

Community Health Systems faces lawsuit related to data breach

The suit claims the hospital operator failed to meet security standards to protect the personal information belonging to patients.

Norwegian oil companies targeted in string of attacks

More than 300 companies are being warned to check their systems after at least 50 oil companies confirmed that their systems were attacked.

Possible payment card breach at Dairy Queen stores

Several financial institutions are reporting payment card fraud activity on credit and debit cards used at various Dairy Queen stores around the country, according to Brian Krebs.