Androids Dream of Electric Malware, Wake Up in Cold Sweat
Google has had to pull Android out of another malware nightmare. A variation on the so-called DroidDream malware that appeared weeks ago sprang up again within dozens of app in the Android Market, which Google has now yanked off the shelves. The incident has led to more questions about whether Google should -- or can -- change its vetting process for Android Market apps.
06/03/11 5:00 AM PT
Google has reportedly pulled several Android mobile applications that were lousy with malware from its official Android Market.
This follows a report earlier this week from Lookout Mobile Security, which claimed it found dozens of apps in the market that contained malicious code.
The suspect apps appear to be from the same developers who created DroidDream, the malware that hit Google in early March and was also discovered by Lookout.
However, the new malware payload appears to be a stripped-down version of DroidDream, which Lookout has christened "DroidDream Light."
The latest malware attack has claimed between 30,000 and 120,000 victims, the mobile security firm estimates.
Like in the first incident, the list of infected applications in this latest attack includes apps with sexy names such as "HOT Girl 4" and "Sex Sound: Japanese," as well as seemingly useful apps such as "System Monitor," "System Info Manager," "Quick Uninstaller," "Brightness Settings" and "Volume Manager."
"The Android Market allows developers to upload apps without first running them through an established screening process like those you might find at Apple's App Store or when using RIM's applications for BlackBerry," Fred Touchette, senior security analyst at AppRiver, told LinuxInsider.
"We do test apps, which Google doesn't, and that's one of the benefits of shopping at our Android app store," Anya Waring, spokesperson for Amazon Electronics, pointed out.
Google did not respond to requests for comment by press time.
How DroidDream Light Works
The malicious components of DroidDream Light (DDLight) don't need the victim to launch them; they can spring into action when, for example, there's an incoming call.
Once a call comes in, the broadcast receiver launches the "lightdd.CoreService" package. This will contact remote servers and send out information about the device to those servers, Lookout said.
DDLight apparently can also download new packages and prompt the user to install them. However, unlike its predecessor, DroidDream, it requires the user's involvement for the installation, Lookout said.
The Never-Ending Droid Nightmare
This latest attack is the second on the Android Market since March.
The earlier attack, which launched the original DroidDream malware, forced Google to remove about 50 tainted apps from the market.
Android smartphone users should expect more attacks. McAfee's Q1 threat report warned that Symbian and Android are the most popular environments for mobile malware, and that attacks against mobile devices are growing.
Protect Yourself at All Times
Users should first prevent the installation of applications without their knowledge, Stephen Gates, director of field engineering at Top Layer, told LinuxInsider.
They can do this by unchecking the "Unknown Sources" field in the "Settings/Applications" menu, Gates said.
Users should also always check the reviews associated with apps they download, whether these are paid or free apps, Gates suggested.
When a user installs an app, Android will indicate the permissions the app wants to access. If any of them seem questionable, don't download the app, Gates stated.
Users whose devices are infected should download an antivirus application such as Lookout and ensure it remains updated, Gates said.
Android device users should also not access any password-protected site when they are connected to an unsecured WiFi hotspot, AppRiver's Touchette suggested.
In addition, when users get an SMS or a voicemail message that seems to have been sent by their bank or another such institution, they should call the organization directly to confirm whether it had tried to contact them instead of responding directly, Touchette said.
Steps Google Might Take
Perhaps Google might be able to protect users better if it followed Amazon's lead and checked applications before letting them be published to the Android Market.
Amazon tests every app submitted to its Android app store for malware and functionality, and it usually turns around the apps within a week, company spokesperson Waring said.
"Google could do a better job of vetting applications prior to allowing them to be posted to the market," Top Layer's Gates agreed.
However, there are "thousands upon thousands of applications available on the market, and to be honest, is it really Google's job anyway?" Gates asked.
The cost of pre-vetting could be "astronomical," and Google would have to charge either the app developer or the customer, Gates said. The process for vetting every Android app submitted to Google would also be "extremely complex," he added.
By the end of April, the Google Android Market had nearly 300,000 apps, and this number is expected to increase to 425,000 by the end of August, according to Research 2 Guidance.
Amazon Electronics, on the other hand has about 11,000 Android apps, spokesperson Waring said.
"My suggestion for Google is to force the application writers to perform the due diligence themselves," Gates said.