Google Android Malware Threat Targets App Market

Google's decision to pull dozens of apps from its Android Market demonstrates an effort to target Android devices through Google's official marketplace instead of third-party app stores.

Google has removed numerous applications laced with malware from the Android app store, underscoring the threat of rogue applications infiltrating the company's mobile marketplace.

According to Lookout Mobile Security, more than 50 applications released under the developer names "Myournet," Kingmall2010″ and "we20090202″ were infected with the DroidDream Trojan and removed by Google. A complete list of the affected apps is available on the Lookout blog linked to above.

An analysis by Kaspersky Lab found that the Trojan attempts to gather a variety of information, including product ID, device type and user ID data. After swiping the information, the Trojan will upload it to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages, the firm said.

"DroidDream is packaged inside of seemingly legitimate applications posted to the Android Market in order to trick users into downloading it, a pattern we've seen in other instances of Android malware such as Geinimi and HongTouTou," Kevin Mahaffey, CTO of Lookout, told eWEEK.

Unlike previous instances of malware that were only available in alternative app markets targeted toward certain countries, DroidDream was available in the official Android Market-indicating a growing need for consumers to beware of the apps they download and actively protect their smartphones, Mahaffey said.

It is not the first time that Google has pulled suspicious apps from its marketplace. Last year, Google yanked several apps that used the names of various banks, including Chase, Sun Trust and Bank of America, without permission. The applications were removed not long after financial institutions began warning customers that rogue Android apps were trying to gain access to their information.

Earlier this week, researchers at Symantec reported a compromised application called Steamy Window had been discovered on a Chinese third-party app hosting site. The app was infected with a Trojan Symantec calls Android.Pjapps, and is thought to have been designed to push advertisement campaigns and "reap the benefits from compromised devices using third-party, premium-rate services."

"The Android.Pjapps code is well written and as such, can be easily inserted into any number of otherwise legitimate apps by someone who knows what they are doing," explained Vikram Thakur, principal security response manager at Symantec. "A couple of examples of where we're seeing this malicious code [are] in a compromised version of the Steamy Window app and also in a compromised video player app. However, we expect to see quite a few more legitimate looking apps over the coming days propagating this threat via unregulated Android marketplaces."

Once Android.Pjapps is installed, an attacker can initiate the download and installation of other applications as well; however, completing the installation of another app would require the phone owner's permission, Thakur said.

Security vendors have continued to push anti-malware software for mobile devices. In the past few weeks, McAfee, Kaspersky Lab and a number of other vendors have all made announcements focused on smartphone security.

"One of the important observations here is that it is likely that these are not the only live malware in the Android Market," blogged Tim Armstrong, malware researcher for Kaspersky Lab. "Kaspersky recommends that you always check all the permission requests that an application is requesting at install time."