Google Finally Uses Remote Kill Switch On Malware

Hugh Pickens writes writes "The Google Mobile Team has announced that in addition to removing the 21 malicious applications from Android Market that were downloaded 50,000 times, suspending the associated developer accounts, and contacting law enforcement about the attacks, they are remotely removing the malicious applications from affected devices. 'We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices,' wrote the team on their blog. 'For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).' Google's actions come after numerous complaints in tech publications. "Does Google really want its Android Market to gain the reputation of being a cesspool of malware? 'Certainly not,' wrote Nicholas Deleon in TechCrunch. 'But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.'"

Android security

[Anonymous Coward]

Is this the way Android security will be handled (after-the-fact cleanup via the marketplace)? It just seems to me that since the manufacturers don't seem to be too keen on supporting their handsets for longer than it takes them to get the next model out the door, and since the service providers like to sit on updates or block them altogether the actual vulnerabilities are unlikely to be fixed.

I was stupid enough myself to buy a Sony-Ericsson Android device only for them to basically drop it a month later, so presumably it will always be vulnerable to the holes used by this round of malware?

Re:GJ GOOGLE

[Rosyna]

Good job again google. That's why you're on top.

So it's a good thing that Google can, has, and will continue to remote remove (remote kill) applications downloaded onto phones.

Apple has removed apps from their store, but never from the phone itself once the app has been downloaded.

Comment removed

[account_deleted]

Comment removed based on user account deletion

within minutes?

[Bram Stolk]

Google:
Within minutes of becoming aware, we identified and removed the malicious applications.

But from the comments in the blog post, we can read that:
This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.
According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.
I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.

Re:Way to go!

[thetoadwarrior]

Well yes you're right. Control is needed to try and attempt to keep quality high both in content and coding and to help keep security high.

Mobiles are different from desktops and I think resorting to virus scanning on mobiles would be awful. While Apple's approach is by no means perfect it is actually looking like the best solution. I just don't bother with the app market for my Android. There is a lot of shit in the market to sift through and while being concerned with how many apps ask for all sorts of permissions we're now finding out that actually a lot of bad stuff is getting through and not being found straight away.

I do think my next phone will be an iPhone. The games are definitely better and until Google proves to at least be more proactive on filtering out the rubbish then I just can't trust the apps and what is the point of a smart phone without apps?

If Google can tell me what the app needs access too then surely there is some way they could come up with a system that flags apps ask having questionable requirements and requiring someone at Google to personally review it before it makes it onto the market.

When you want people to tie all their personal information and even payment methods (ie Google Checkout) to a device it needs to have some sort of security. It is not good enough to kill it after it's been downloaded a quater of a million times. Alternatively they can come up with some sort of mobile virus / malware scanner and risk complaints about battery life and performance.

Re:GJ GOOGLE

[Flytrap]

FTA: "The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher..."

So if a malware writer takes advantage of a vulnerability in an old or unpatched instance of Windows its Microsoft's fault... but if they take advantage of an exploit in Android its not Google's fault.

This logic does not compute.

Re:GJ GOOGLE

[Deathlizard]

Except that it's unlikely that this will totally clean the problem.

This Exploit Rooted phones. That means Google lost control of the phone the second the user installed and run the malicious app. They could remove all of the malicious apps all day long but all that does is remove the Trojan Horse that dropped the rootkit.

As for the removal tool Google is planning to send. If the virus programmers have any sort of brain the first thing they're going to do is block the removal tool from removing the rootkit by sending a patch to the rootkit. It wouldn't surprise me if the rootkit doesn't phone home soon and download something to either spoof that the rootkit was removed or block the rootkit remover altogether and disable apps (either from Google or a third party) designed to remove the exploit. Google giving them a heads up through the blog post that they got 72 hours to code such a patch just made the virus writers job even easier.

Now I'm not saying that Google is handling this totally incorrectly. If I was Google, I would have taken many of the steps that they are currently doing, except I would not publicly lay out the plan until after it was executed. I know it would give Google Bad PR by sending apps without user knowledge, but it would have minimized a counterattack time frame from the virus writers and would have been the safer option overall. I just hope that Google has another strategy if this one fails, such as carrier involvement to recover and possibly disable remaining infected phones until it can be cleaned by a carrier tech.

The min specs might be cost prohibitive

[tepples]

Then why has Google required GPS even to be able to download applications that do not use the GPS, a compass even to be able to download applications that do not use a compass, telephony even to be able to download applications that do not use telephony, etc.? Can you recommend a product that A. runs Android, B. costs $200 to $300 like an iPod touch without a telephone service commitment, C. meets the min specs for access to the platform's largest app market, and D. is sold in the United States, which is my home country and Slashdot's? Unlocked phones tended to fail B last time I checked, Archos 43 fails C, and Samsung Galaxy Player failed D last time I checked.

Re:Is Android free software? If so, no hypocrisy.

[Keen Anthony]

I bought my 16GB iphone for about $189 at my Apple Store. I renewed my 2-yr contract with Verizon and got an additional discount which I assume was for customer loyalty. Hopefully, you have an option like that available to you. I initially bought a Droid X full price. I don't think the iPhone is that much more expensive than full retail price I paid for my Droid.

The one thing I do love about Android phones is that I can write my own app and put it onto my phone. I need only checkmark a setting that lets me load non-market apps at my own risk. I don't have that ability with iPhone. I'm still waiting to get listed as an iPhone dev, but once that happens I believe it will mean I can live test my own homegrown apps on iPhone after (at least if my reading of Apple's terms is correct).

I believe we're giving undue credit to Android for being open. Android itself is open and free. But from what I've seen on the various HTC and Motorola Androids I've bought in the last year, each vendor's specific Android is not that open. Is Moto's Blur not proprietary? What about HTC's Sense UI? I've been told countless times to stop supporting Motorola because Motorola locks down their phones, thus taking away from that openness that is Android. Is it all a lie? People are telling me to buy HTC because they play well with modders.

I wasn't able to install all I wanted on my Droid. I was told I needed to root the phone. I had to wait until someone found a way to, and then risk following the steps. So, if at the end of the day, I'm still forced to root rather than jailbreak, how exactly am I realizing the difference between free and proprietary software? I haven't jailbroken my iPhone yet. I likely won't until I decide I absolutely need to have a bluetooth file transfer (something iPhone lacks), but until I do, I can at least enjoy an app market that is better for my needs.

Re:Slashdot hypocrites..

[rjstanford]

Then why not send everyone a message saying, "Hey, you chose to install this app, and that's cool and all, but its doing bad things, would you like to remove it? [Yes] [No]" That would be completely reasonable and in full keeping with their advertised goals. The fact is that either platform allows someone else to decide (at their total discretion) that you don't need an app you've chosen to install, and lets them remove it without your consent.

Yay openness.