Posted on 06/09/2011 5:56:08 AM PDT by Swordmaker
Google has had to pull Android out of another malware nightmare. A variation on the so-called DroidDream malware that appeared weeks ago sprang up again within dozens of app in the Android Market, which Google has now yanked off the shelves. The incident has led to more questions about whether Google should -- or can -- change its vetting process for Android Market apps.
Google (Nasdaq: GOOG) has reportedly pulled several Android mobile applications that were lousy with malware from its official Android Market.
This follows a report earlier this week from Lookout Mobile Security, which claimed it found dozens of apps in the market that contained malicious code.
The suspect apps appear to be from the same developers who created DroidDream, the malware that hit Google in early March and was also discovered by Lookout.
However, the new malware payload appears to be a stripped-down version of DroidDream, which Lookout has christened "DroidDream Light."
The latest malware attack has claimed between 30,000 and 120,000 victims, the mobile security firm estimates.
Like in the first incident, the list of infected applications in this latest attack includes apps with sexy names such as "HOT Girl 4" and "Sex Sound: Japanese," as well as seemingly useful apps such as "System Monitor," "System Info Manager," "Quick Uninstaller," "Brightness Settings" and "Volume Manager."
"The Android Market allows developers to upload apps without first running them through an established screening process like those you might find at Apple's (Nasdaq: AAPL) App Store or when using RIM's applications for BlackBerry," Fred Touchette, senior security analyst at AppRiver, told LinuxInsider.
"We do test apps, which Google doesn't, and that's one of the benefits of shopping at our Android app store," Anya Waring, spokesperson for Amazon (Nasdaq: AMZN) Electronics, pointed out.
Google did not respond to requests for comment by press time.
How DroidDream Light Works
The malicious components of DroidDream Light (DDLight) don't need the victim to launch them; they can spring into action when, for example, there's an incoming call.
Once a call comes in, the broadcast receiver launches the "lightdd.CoreService" package. This will contact remote servers and send out information about the device to those servers, Lookout said.
DDLight apparently can also download new packages and prompt the user to install them. However, unlike its predecessor, DroidDream, it requires the user's involvement for the installation, Lookout said.
The Never-Ending Droid Nightmare
This latest attack is the second on the Android Market since March.
The earlier attack, which launched the original DroidDream malware, forced Google to remove about 50 tainted apps from the market.
Android smartphone users should expect more attacks. McAfee's Q1 threat report warned that Symbian and Android are the most popular environments for mobile malware, and that attacks against mobile devices are growing.
Protect Yourself at All Times
Users should first prevent the installation of applications without their knowledge, Stephen Gates, director of field engineering at Top Layer, told LinuxInsider.
They can do this by unchecking the "Unknown Sources" field in the "Settings/Applications" menu, Gates said.
Users should also always check the reviews associated with apps they download, whether these are paid or free apps, Gates suggested.
When a user installs an app, Android will indicate the permissions the app wants to access. If any of them seem questionable, don't download the app, Gates stated.
Users whose devices are infected should download an antivirus application such as Lookout and ensure it remains updated, Gates said.
Android device users should also not access any password-protected site when they are connected to an unsecured WiFi hotspot, AppRiver's Touchette suggested.
In addition, when users get an SMS or a voicemail message that seems to have been sent by their bank or another such institution, they should call the organization directly to confirm whether it had tried to contact them instead of responding directly, Touchette said.
Steps Google Might Take
Perhaps Google might be able to protect users better if it followed Amazon's lead and checked applications before letting them be published to the Android Market.
Amazon tests every app submitted to its Android app store for malware and functionality, and it usually turns around the apps within a week, company spokesperson Waring said.
"Google could do a better job of vetting applications prior to allowing them to be posted to the market," Top Layer's Gates agreed.
However, there are "thousands upon thousands of applications available on the market, and to be honest, is it really Google's job anyway?" Gates asked.
The cost of pre-vetting could be "astronomical," and Google would have to charge either the app developer or the customer , Gates said. The process for vetting every Android app submitted to Google would also be "extremely complex," he added.
By the end of April, the Google Android Market had nearly 300,000 apps, and this number is expected to increase to 425,000 by the end of August, according to Research 2 Guidance.
Amazon Electronics, on the other hand has about 11,000 Android apps, spokesperson Waring said.
"My suggestion for Google is to force the application writers to perform the due diligence themselves," Gates said.
Yeah!
Let’s all buy iPhones, seeing that they are trying to look like Android now anyway! /s
Give it up. 2nd place is a fine position for an Apple OS to be in. Just look at OSX.
I really don’t the answer to the following question: does Apple pre-vet all the iPhone Apps before they let them on the Apple store?
The problem here isn’t Android proper, it’s the Google App Store’s policy of not vetting applications that are put on the market, resulting in people getting a false sense of security when downloading an app via an “official” store.
Note (as Amazon itself notes) that this problem doesn’t exist in the Amazon app store for Android devices, because they do screen what they put up for sale. As does RIM and, yes, Apple for their devices.
Yes. They're tested to ensure that they conform to proper API usage, etc. Also, Apple does not allow certain types of apps at all, e.g., porn. Some developers find the process cumbersome, but this article points out one of the risks of not having a vetting process.
Nor is it unique to Apple -- RIM uses a similar screening for BlackBerry and Amazon screens Andriod apps. Do they all do it to the same degree? I doubt it, but the process is still there in some form.
There have been cellphone virii for years.
When cellphones started using java, virus writers said, “Hunh, wonder what I can make it do?”
When cellphones started using bluetooth, virus writers started making use of that as an infection vector.
The response from the cellphone industry is pretty dismal.
The App Store Review Guidelines provide rules and examples across a range of development topics, including user interface design, functionality, content, and the use of specific technologies.
Amazon's app store policy is a bit more public. An excerpt:
How does the app approval process work?Our goal is for Amazon Appstore customers to have a good experience with every app they buy from the Appstore. As a result, we will be testing the apps you submit prior to making them available in our store to verify that each app works as outlined in your product description, does not impair the functionality of the mobile device or put customer data at risk once installed, and complies with the terms of the Distribution Agreement and our Content Guidelines. For clarity, our intent is not to be prescriptive in terms of what constitutes good app design. Amazon is a big believer in innovation in general, and we hope to feature many creative and innovative apps in the Appstore.
...
Do my apps need to comply with a content policy?
Each app that you submit to us must follow the following Content Guidelines. If we determine that an app contains, facilitates, or promotes content that is prohibited by these guidelines, we will reject the app submission and notify you using the email address associated with your developer account.
Content Guidelines
Please take a moment to familiarize yourself with a few examples of prohibited content:
- Offensive Content...
- Pornography...
- Illegal Activity...
- Intellectual Property Infringement...
- Privacy/Publicity Infringement...
- Copyright Policy...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.