Earlier in the week, a Redditor uncovered a large network of malwares masquerading as popular apps in the Android Market, when he stumbled upon one of the apps and noticed its incorrect publisher info. Android Police has a lowdown on the incident, which once again demonstrated how easy it is to infiltrate the Android Market. The fake apps, once downloaded, proceeded to root the phone using the famous “rageagainstthecage” exploit, and called home. It also had the potential to download additional payloads.
For its part, Google reacted swiftly, and pulled the apps minutes after being notified by Android Police. However, according to information provided by “lompolo”, the Redditor who uncovered this entire mess, some of the app developers were already aware of this for as long as a week, but their complaints fell on deaf ears. The apps injected with malware, which were dubbed as DroidDream by Lookout, only affected handsets running versions older than Android 2.2.2. Google found DroidDream in 58 applications, which were downloaded onto 260,000 devices.
Google believes that the apps only uploaded device information (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device), and not user-data. After pulling the apps, and performing its initial investigation, Google is now moving to rectify the damage caused. It is in the process of removing the apps from all handsets by employing the remote kill-switch built into Android. It is also pushing through a new update called “Android Market Security Tool March 2011” to affected devices. This update will undo the changes made by DroidDream. If you were among the affected users, expect an email from Google soon.
This entire saga raises several questions. Obviously, as Android’s popularity continues to surge, more and more hackers and malware writers will target it. Unfortunately, it’s clear that Google is simply in no position to mitigate these attacks before they occur. The “openness” of the Market is becoming Android’s biggest security weakness. Although most Android users have nothing but disdain for any app review system, I would welcome a change in the Market policy, whereby all submitted apps are screened for signs of malicious or fraudulent activities. Google might also need to give a serious thought to how it deploys security updates. Apple and Microsoft have full control over deploying critical system updates, unlike Google, which is at the mercy of handset manufacturers and carriers. Although the bug that was exploited by DroidDream was fixed in Android 2.2.2, hundreds of thousands of handsets were successfully compromised because Android 2.2.2 isn’t yet available for a substantial number of handsets. Unless Google can reign in the fragmentation problem, it might have to start deploying hotfixes for different versions of Android to patch critical security vulnerabilities, i.e. employ a Windows like model of distributing patches to different OS versions. What is your take on this issue? Chime in by dropping a comment here or in our Facebook page.