Forgot your password?
typodupeerror
Android Security

30+ Infected Apps Pulled From Android Market 91

Posted by samzenpus
from the one-bad-app-spoiling-the-barrel dept.
Trailrunner7 writes "Researchers have identified a second large batch of apps in the Android Market that have been infected with the DroidDream malware, estimating that upwards of 30,000 users have downloaded at least one of the more than 30 infected apps. Google has removed the apps from the market. There are at least 34 applications that researchers have found in the Android Market in the last few days that had a version of the DroidDream malware dropped into them. Once a user installs one of the infected applications, the malicious component, which researchers have dubbed DroidDream Light, will kick in once the user receives an incoming call. The malware then gathers some identifying information from the phone, including its IMEI number, IMSI number, packages installed and other data, and then sends it off to a pre-configured remote server."
This discussion has been archived. No new comments can be posted.

30+ Infected Apps Pulled From Android Market

Comments Filter:
  • Which ones? (Score:5, Informative)

    by blair1q (305137) on Wednesday June 01, 2011 @02:25PM (#36311466) Journal

    Again, no list in TFA.

    You have to dig through it to another article that links to a source article with a list:

    http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/ [mylookout.com]

    And that list is over two months old.

    Which means this story's hardly viral. More like fungal.

    • Re:Which ones? (Score:5, Informative)

      by putch (469506) on Wednesday June 01, 2011 @02:28PM (#36311530) Homepage

      It certainly wasn't prominent but there is a current list available here: http://blog.mylookout.com/2011/05/security-alert-droiddreamlight-new-malware-from-the-developers-of-droiddream/ [mylookout.com]

    • Re:Which ones? (Score:5, Insightful)

      by Kamiza Ikioi (893310) on Wednesday June 01, 2011 @02:48PM (#36311750) Homepage

      Look at where that link leads... Lookout anti-virus software for Android. People's entire lives live on these phones. Why would people not protect it?

      I find it sad that so many "power" users scoffed at anti-virus/anti-malware for their phones. Waste of space and resources they said. I run Lookout, which does more than just anti-virus. It scans new files I download, then goes away quietly to the background, backs up files, etc. I also run a firewall and adblock software (rooted). I conduct private, work, and finances on my phone. People that do that need to get out of their dreamworld that their phone is hacker proof, regardless of who makes it or what OS it runs. Even if they are behind a walled garden or you never download from unknown publishers, they all run browsers and all browsers can be exploited.

      The more powerful phones get, the more they will be targeted. I'm surprised major zombie trojans haven't infected more phones yet. Millions of cheap cpu's for a botnet is a very tempting target, and as they can frequently jump on different wifi and cellular networks, with changing hosts and IPs, They would be hard to block for spam. They would also make for one heck of a DDOS weapon. And with storage ever increasing, they could be hijacked for file sharing.

      • I run lookout too, and it's already saved me a few hundred dollars by nicely telling me exactly where in the nature preserve the damn phone had fallen off of my belt, and then setting off a siren when I got close so that I could find it under the plants. If only for that reason, it's a worthwhile app to have around.

        Of course, looking at that list, who the hell sees an app like "sexy japanese" or "sex sounds" and doesn't assume there's probably malware of some sort in there?

        • by _4rp4n3t (1617415)
          Can I just ask of you, and Parent, if you see any significant impact on performance running Lookout please?
          • No. The phone was slightly slow before I installed it, and it's slightly slow now. But it's an original Droid, and I tend to run more crap on it than it's capable of running comfortably, so that's to be expected. Lookout caused no noticeable performance issues.

          • by Stone2065 (717387)

            I've been running it for almost 2 weeks, and on my Optimus T, it's just fine. No noticible issues, other than the few seconds it takes to scan literally EVERY download I do.

          • by _4rp4n3t (1617415)
            Thanks folks
      • by zero0ne (1309517)

        I would say the bot masters would have more fun using these as their stepping stones to contact their command and control servers. As long as you are only sending simple command line driven instructions, you could hop through tens or hundreds of phones all using a mix of wifi / 3g. The chances of finding where it started from would be nil.

      • Re:Which ones? (Score:4, Interesting)

        by mlts (1038732) * on Wednesday June 01, 2011 @03:49PM (#36312460)

        Heck with antivirus/antimalware software. That way of thinking means we end up with the arms race that the blackhats will win every time, and our CPU, RAM, and disk I/O will be collateral damage, just like it is in the Windows ecosystem. If we had to have standard AV software, phone makers would have to double the RAM and add an additional core just to handle the continual I/O of a scanning utility.

        In reality, you want to go to a genetic HIPS (host-based intrusion protection system) type of architecture that will stop attacks because of the method used, as opposed to definite file signatures. File signatures means you have this dandy database which means jack squat because the 0-days change a couple bytes each version. For example, if malware uses a series of phone numbers, one blacklists that list instead of each executable hash, as there are far fewer phone numbers than changes to executables possible. Why is a HIPS based system better than real time signatures? HIPS systems only fire off when an action is done, and not having to be actively running.

        Even better would be to borrow from the Blackberry model, and if an app is about to use a service that is going to charge, prompt the user who/what/when/where/why/how/how much they will be billed for, and allow them to say "yes, don't bother me again", "yes", "no", or "hell no, this app can never do this".

        • Even better would be to borrow from the Blackberry model, and if an app is about to use a service that is going to charge, prompt the user who/what/when/where/why/how/how much they will be billed for, and allow them to say "yes, don't bother me again", "yes", "no", or "hell no, this app can never do this".

          I would go further: any app that attempts outbound connections should result in a prompt indicating the app, the server its trying to connect to and the protocol info, ala ZoneAlarm on Windows or LittleSn

          • by DI4BL0S (1399393)
            There is something like Social Engineering? The link would simply be update.myfancyapname03.ru It would still catch out plenty of people i'm sure.
            • True, but if you had an "Ask Google to help you choose" on that prompt which would go to Google security analysis page which would then do lookups and run through Google maintained databases to identify the host and give the user advice as to what to do, this would be negated quite easily.

              This would allow the user to choose if he wants more security (Google's advice) at the expense of Google knowing where he connects, or to let him/her make their own decisions.

      • by GooberToo (74388)

        The problem with lookout is that is has every red flag permission under the sun. How many viruses do you think are in your contacts list?

        Extremely caution should be used when any application requires read contacts and internet access. How sure are you, you didn't just give away the bank? You can see for yourself. [android.com] Lookout requires the following list of permissions.

        Your accounts
        manage the accounts list
        Allows an application

        • I was thinking the exact same thing.

          This is depressing as hell. Behind the kind of scummy developers that have us even worrying about this kind of garbage (not even the malware, the data leaking) and now that the OS isn't quiet "open" anymore, Android's losing it's shine pretty damn quickly. It's the best competition that Apple could have hoped for, FFS.

          Don't get me wrong. I loathe Apple on about every level from principle to practical, but god damn... My "smart" phone is all but useless because this scumwa

          • by DI4BL0S (1399393)
            Malware will always go where to biggest market share is... Apple won't be safe from it, antho I think (unsure) they have a much stricter app approval process?
            • I don't mean the malware. I mean the data-scraping scumminess that is apparently built right into the API.

              The tin-foil cynic part of me wonders if this isn't the biggest part of the reason they're holding back honeycomb. Not so much because of claims of "quality of experience" (taking pages from Apple's playbook there, Google?), but because with all the press this garbage is getting lately, some enterprising group of modders might actually try to interfere with it (a la Cyanogen's sadly aborted spoofing mod

      • by bonch (38532) *

        I think most people scoff at antivirus software for a mobile OS because one of the advantages of getting away from the desktop PC was supposed to be the avoidance of malware. Stories like this help justify Apple's approach to quality control.

    • What I don't get is why no-one writes the package names of the malicious apps.

      Application names are generally useless on Android since they can be duplicated freely (and there are legit apps with those names).
      On the other hand, package names are unique in the Market.

      Anyway, the list of the apps with the package names from the **previous** outbreak can be found here: http://globalthreatcenter.com/?p=2091 [globalthreatcenter.com]

      Also, a question: does the kill switch affect devices which don't have the market installed?

  • List of Apps (Score:5, Informative)

    by Some guy named Chris (9720) on Wednesday June 01, 2011 @02:26PM (#36311486) Journal
  • Can't wait for the day when such actions aren't news.
    • by h4rr4r (612664)

      You mean when they are so common no one even notices when a new one comes out? Like with windows malware?

      • by vinayg18 (1641855)
        Umm, no, that would be the worst case scenario, wouldn't it? Every time there's a round of media coverage about Google zapping apps on the Android Market, I get the feeling that it's an attempt to condemn the security model of the Android OS, when the actual problem is the users' lack of discretion in installing junk!
        • by h4rr4r (612664)

          I just mean that this will always happen, and I prefer it be newsworthy rather than something too common to report on.

        • According to the article (and its links), the programs root the phone and bypass the application sandbox, so while there is some user culpability here, it is also a mark on the Android OS security model.

          • by symbolset (646467) *
            What a program can do, a program can do. We want rootable phones. As AC said above, with freedom comes responsibility.
        • by tlhIngan (30335)

          Umm, no, that would be the worst case scenario, wouldn't it? Every time there's a round of media coverage about Google zapping apps on the Android Market, I get the feeling that it's an attempt to condemn the security model of the Android OS, when the actual problem is the users' lack of discretion in installing junk!

          That's because the Android security model does fail in that attempt. It's ignoring the obvious security flaw - that if a user is confronted with a choice between security and dancing pigs, danc [wikipedia.org]

          • by DJRumpy (1345787)

            I have to agree here. Although Apple has it's drawbacks in the approach they take, it is most effective for a large majority of folks who don't need 'freedom' and most likely don't even realize they don't have it. I think this would be a good opportunity for Google to step up and put a gardner in the garden to watch for 'weeds'.

            If there is something that Google can do to moderate or limit this type of damage (before the fact, not after), then they should be encouraged to do so. It is not the users fault tha

          • by Stone2065 (717387)

            I'm half tempted... well, a quarter tempted anyhow, to just get a dumb phone and get a smaller tablet for apps, one that either doesn't have 3/4G, or at least has easily configured Wi-Fi so it won't just kick its self on because of proximity or some such. I like having all my apps on my Android, but I don't want the damn thing to be part of a bot farm at some point. I know I said I'm running Lookout, but no telling if that's going to be all I NEED to run. If I have to lock down my phone to the level of my "

        • by node 3 (115640)

          the actual problem is the users' lack of discretion in installing junk!

          How, exactly, are people supposed to know what's malware and what's not?

          I get the feeling that it's an attempt to condemn the security model of the Android OS

          That's exactly what it does, whether it's an actual attempt or not. Google's security model is awful. This is by deliberate design. If Google (and fandroids) want to beat Apple over the head for having a closed App Store, you also have to take the good with the bad.

          There's another system, one with significantly more apps and with a larger user base, which does not have this problem. If that doesn't illustrate the difference in security

  • The issue deserves concern, but 30,000 Android users seems like a very small number to me.
    • The issue deserves concern, but 30,000 Android users seems like a very small number to me.

      Try using a larger fontsize.

  • I know its off topic slightly but i got a call from a number ....or even text messages with a link to call this number...
    on my iphone, i imagine they are making some malware for iphones too, or is that just wishful thinking on the part of parties involved calling me
    to get me to click on a link...anyone know or have useful links on the iphone for this too???
    greatly appreciated

    • by tlhIngan (30335)

      I know its off topic slightly but i got a call from a number ....or even text messages with a link to call this number...
      on my iphone, i imagine they are making some malware for iphones too, or is that just wishful thinking on the part of parties involved calling me
      to get me to click on a link...anyone know or have useful links on the iphone for this too???
      greatly appreciated

      I think it's less malware for iPhone, and more either a spammer/telemarketer got your number or one of your friends may have gotten in

      • by tlhIngan (30335)

        Addendum. I meant your friends got infected.

        Also, have you jailbroke your iPhone? If so, it's possible you've been infected that way, especially if you've installed OpenSSH and didn't change the password. Or if you've installed "free" paid Cydia apps. Jailbreak only apps have full access to the system.

  • Android is /free/, man!

  • The apps were not "Infected" by the droid dream malware -- This would mean that malware was wandering around, infiltrating developer machines and the Marketplace itself... No. Instead, said malware payload was purposefully introduced to innocuous looking apps -- similar to the gift of a poison apple, or a Statuesque Wooden Horse Gift.

    Hint: Legit app with "malware dropped into them." describes a malware infection about as well as Stigmata describes the actions of a depressed wrist slitter.

    Apparently, the sex-censors have illegalized the word: Trojans. Either that, or the submitter is a moron.

  • Hmmm......walled garden, eh....(scratches chin thoughfully).....
  • The malware only activates when you receive one of these "phone call" things - and when was the last time you received one of those?
  • Despise other comments to this post claiming that these apps had the malicious payload intentionally included, I can't find anything confirming that's the case. Are we sure it's not a matter for developer keys (or even the Google Marketplace or phone OS) getting compromised? Anyone see that info anywhere

    • by idontgno (624372)

      F-Secure's analysis: [f-secure.com]

      This application was originally harmless. However, a malicious developer called "Magic Photo Studio" downloaded the original application, modified it and re-uploaded it to Android Market.

      In other words, the malware perps grab legit apps from the market, trojanize them, and re-upload to the market under their own throwaway "legitimate" developer identity. So (A) if you search for a particular kind of app, you will see the original clean app alongside the trojanized one, and perhaps choo

  • and then sends it off to a pre-configured remote server

    So is the physical location of this server know? Because if it is, then whopass and wedgies may be delivered directly.

  • Without having to resort to reviewing third party code like Apple does, I see one possible way in which Google could solve this problem without dedicating too many people to it. My solution is this:

    By default, a developer account on the Market is "unverified" - when people try to install apps from an unverified account, they receive a huge, scary warning that states that this application could contain malware, please make sure you trust the author, etc.

    To become "verified", a developer must contact Google p

    • by S3D (745318)

      To become "verified", a developer must contact Google personally and verify their identity, including full contact details (phone number, address, etc.)

      Wouldn't work. Symbian OS tried that and failed so horribly that it's failure toppled Nokia. Hobby/part time/small developers wouldn't get certificate, so there will be a lot of legitimate but not "verified" apps. From the other hand scammers&spammers (who have some real money) will not have problem to register empty shell company in Russia/Azerbajan/**stan/India etc using some homeless person ID and get certificate.

    • by symbolset (646467) *

      You're on to something here. In the trades they have bonding. The tradesman posts a reasonable bond held by a neutral third party which in the event of negligence or poor work is forfeit to the extent of damages. Say, $10,000 bond gives up to $1000 to the first users to claim damage from being compromised by included malware. A bond agent reduces the upfront cost of this by investigating the tradesman and putting up his own money, for a reasonable fee. Profit motive keeps people checking apps. Interes

  • Why waste your time with the market, go after the owner of the server.

  • Just install that, and anything that attempts to go to the net, request IMEI numbers or anything else, it pops up and asks permission. It's funny/scary to watch how many programs that have absolutely nothing to do with anything, request to send contact info, gps info, tower info and IMEI info.

I'm all for computer dating, but I wouldn't want one to marry my sister.

Working...