NEWS

March 2011 Computer Fraud & Security3

Android marketplace hit by malware

Google has pulled dozens of apps from its Android Market because

they were laced with malware. As many as 200,000 devices may have been infected before Google intervened.

More than 50 apps from three publish-ers – Kingmall2010, we20090202 and Myournet – were loaded with the mal-ware. Most were compromised versions of legitimate apps. This marks a new and sinister development in mobile malware as, previously, Android trojans were found outside the Android Market and usually required the device owner to supply per-mission for the malware to run. And it’s the first time that infected Android apps have been served from the US – or pretty much anywhere outside China.

The alarm was sounded by Reddit user Lompolo, who recognised that apps were being offered by someone other than their real publishers. According to Kaspersky, two trojan variants were discovered, labelled by the company as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j – also known generi-cally as DroidDream – both of which were capable of executing without the user even noticing. The malware affects earlier ver-sions of the Android OS but devices run-ning Android 2.3 (Gingerbread) should be safe. However, fragmentation in the market means that updating of the OS is patchy at best and there are many devices – perhaps as many as 99% of all Android smartphones – that will be vulnerable.

The malware exploits known privilege escalation vulnerabilities in the Linux kernel used by the Android OS to gain root access. At that point, the malware has full access to all information on the device and may even be capable of switching off the killswitch feature, which normally enables Google to remotely remove apps from devices. Primarily, however, the malware seems intent on stealing International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI) numbers and other device information, which it deliv-ers to the trojan’s owners via HTTP traf-fic. The trojans connected with a server in California, hosted by Hurricane Electric.

Once contacted by Kaspersky, the ISP took down the host.

Google allows developers full control over how and when apps are uploaded and made available for download. Unlike Apple with its App Store, the company appears to make no attempt to vet or vali-date the software. There is simply a one-off registration payment of $25 that gives developers access to the Market – hardly a barrier to entry for cyber-criminals.

There is also some disquiet about how long it took Google to react. Developers of some of the original software, which has been pirated and infected to cre-ate the rogue apps, had complained to Google about the piracy, without response. At least one developer was driven to leaving comments on the rogue app’s page warning users that the software was pirated. This was before the malware infection was discovered.

Third-party app stores have had their own scare. A compromised app known as Steamy Window has been uploaded to a number of stores. This contains a trojan dubbed Android.Pjapps by Symantec. This sends SMS messages to premium rate numbers, running up the user’s bill and earning a commission for the cyber-criminals. It’s also capable of blocking alerts designed to warn users that they have exceeded text message quotas. The Android.Pjapps trojan can also download more malware and may have botnet capabilities.

Chinese smartphone security firm NetQin is also warning about two pieces of spyware – SW.SecurePhone and SW.Quieting. The former collects call and phone log information and uploads it to a remote server every 20 minutes, while the latter will forward messages received by the phone. Both are capable of operating without the user noticing.

Earlier, Symantec Asia-Pacific revealed details of the Android.Adrd trojan (aka HongTouTou), the first able to carry out search engine manipulation. It makes repeated requests in the background – invisible to the user – to the Baidu search engine in China in order to manipulate page rankings for certain sites.

Finally, Prof Dan Wallach of Rice University in Texas discovered during a class demonstration of packet sniff-ing that Android phones exchange data with Facebook and Google Calendar in clear text, with no apparent attempt at encryption. For example, in the case of the official Facebook app, everything except the password was transmitted in the clear in spite of Wallach’s Facebook account being configured to use SSL.

Conflicting malware trendsPanda Security claims to have seen

a drop in malware levels during February 2011, although for other

Continued on page 20...

Types of malware detected in February 2011 by Panda Security’s cloud-based scanner.