Google Removes Malware Apps From Android Market

How To Manage Mobile Devices

Google this week removed a swath of applications from the official Android Market that were found to contain malware known as "DroidDream Light," which is designed to compromise people's data. As part of that effort, Google also apparently suspended six developer accounts--BeeGoo, DroidPlus, E.T. Tean, GluMobi, Magic Photo Studio, and Mango Studio--that had hosted applications containing the malware.

All told, 26 applications were found to contain DroidDream Lite, which is a stripped-down version of DroidDream. An estimated 30,000 to 120,000 users had downloaded the applications infected with DroidDream Lite. According to Tim Wyatt, principal engineer at security firm Lookout, the malware was "likely created by the same developers who brought DroidDream to market back in March," he said in a blog post.

Lookout found the malware-laden applications "thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market," said Wyatt. "Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples." Lookout then identified a further 24 infected applications and contacted Google, which rapidly removed the applications.

"We've suspended a number of suspicious applications from Android Market and are continuing to investigate them," a Google spokesperson said in an email on Wednesday. But Google declined to comment on how many people might have been affected, or whether it would use its Android kill switch to remotely purge the infected apps from users' smartphones.

DroidDream Lite is dangerous because it can work without users launching the program in which it's hidden. According to a Juniper Networks blog post, "the malicious code is invoked upon receipt of a phone call, which kicks off the gathering and transmitting of the device's IMEI number, IMSI number, a list of installed applications, the device model, and the SDK version to a third party server." The International Mobile Equipment Identity (IMEA) is a number--typically unique-- that's used to identify a mobile device, while the International Mobile Subscriber Identity is a unique number used to identify a subscriber.

As with DroidDream, which infected 260,000 Android smartphones, "DroidDream Lite is then capable of downloading and installing additional applications to the device which could come with any number of different malicious capabilities," said Juniper. But DroidDream Lite doesn't appear to be able to install these applications silently, meaning that some user interaction would be required.

Juniper warned any Android users who had downloaded these applications to watch out for possible attacks from third-party servers that might try to push new applications. "It is possible that the device-identifying information that is collected will be used to register the device to the third-party server and used to allow infected devices to download the additional applications," said Juniper.

Last month, the networking vendor published research showing that since the summer of 2010, attacks against devices that use the Android operating system had jumped by 400%. Juniper attributed this increase to the powerful Android software development kit, freely distributed by Google to increase interest in its operating system, as well as a majority of smartphone users failing to run antivirus software on their devices.

Innovative IT shops are turning the mobile device management challenge into a business opportunity--and showing that we can help people be more connected and collaborative, regardless of location. Read the new report from InformationWeek Analytics. Download it now. (Free registration required.)