Android Market's Malware Flood Level Rises With Plankton Surge
The Android Market's malware woes continue with a new wave of malicious software that uses an exploit researcher Xuxian Jiang dubs "Plankton." Google has once again removed the apps in question and has reiterated its promise to ban developers who break its rules. Some security experts have questioned whether Google's stance should be more proactive.
06/14/11 5:00 AM PT
Yet another Android malware package has been publicized just two weeks after the last one, dubbed "DroidDream Light," was disclosed.
This latest malware, named "Plankton" by Xuxian Jiang, an assistant professor in North Carolina State University's computer science department, exploits Dalvik, Android's process virtual machine, Jiang wrote.
That allowed it remain undetected by traditional antivirus software packages for mobile OSes for more than two months, he stated.
Jiang notified Google June 5 about 10 infected apps in the Android Market, and these apps were immediately suspended pending investigation, he said.
"We're aware of and have suspended a number of suspicious applications from Android Market," Google spokesperson Randall Sarafa told LinuxInsider.
"We remove apps and developer accounts that violate our policies," he added.
Jiang did not respond to requests for comment by press time.
How Plankton Bugs the Google Whale
Plankton is the first malware Jiang's team knows of that exploits the Dalvik class loading capacity to remain hidden and dynamically extend its own functionality, the researcher said.
Dalvik is an integral part of the OS. Android apps are converted into the Dalvik Executable format before execution.
Apps are infected with Plankton by adding a background service, Jiang wrote.
This service is brought up when the app is run. It collects information, including the device ID and the list of permissions granted to the infected app, then transmits them to a remote server through an HTTP POST message.
The server will return a URL for Plankton to download. This points to a JAR (Java Archive) file containing executable Dalvik bytecode.
JAR files are used to distribute Java applications or libraries in the form of Java class files, associated metadata and resources such as text and images.
Once the JAR file's downloaded, it will be dynamically loaded into the system, Jiang wrote. This allows it to evade static analysis -- which is what most antivirus software packages do, thus making it hard to detect.
Jiang's team found that there are two versions of the JAR payload in Plankton.
These only support some basic bot-related commands that can be invoked remotely, but they don't provide root exploits, Jiang wrote.
The commands can do various things. These include collecting the bookmark information on the infected device, installing or removing home screen shortcuts, stealing browser history information and collecting runtime log information.
Another function can collect users' accounts if invoked. This, combined with the capability of dynamically loading a new payload, can let hackers steal users' accounts or launch root exploits, Jiang wrote.
Coping With the Vermin
Symantec has warned that Android is one of the major targets for hackers, and the Android Market's rate of growth is reportedly outstripping that of the iTunes App Store.
However, Google so far has only suspended infected apps, then removed them. It's also possibly taken action against the writers of these apps.
That doesn't sit well with some security experts.
Google "have to respect the aquatic nature of their environment and must maintain a proper PH before it becomes hazardous to the consumer," Tom Kellerman, chief technology officer at AirPatrol, told LinuxInsider.
"The open nature of online app markets allows hackers to easily hide malware and phishing exploits within apps for global distribution," Alicia DiVittorio, a spokesperson for Lookout Mobile Security, told LinuxInsider. Millions of consumers have already been victimized by Android malware, she added.
Things are going to get worse for the Android Market because of its rapid growth, Stephen Gates, director of field engineering at Top Layer, pointed out.
"Since the Android Market is exploding, and today you can even buy a TV that runs Android software, it just makes sense to go after this market with gusto," Gates told LinuxInsider.
He suggests Google should perhaps force app developers to perform due diligence themselves, or pay to have a third party vet their apps and then divide the Android market up into "Pre-Scanned Apps" and "You're On Your Own" apps.
"Give the consumers the choice as to whether to download pre-scanned apps or not," Gates said.