Several malicious apps were downloaded to Android devices earlier this month.
Malware. It’s not just for computers anymore.
Google Inc. announced earlier this month that it removed several potentially dangerous apps that were available for download on the Android Market, signaling that consumers should think about security when downloading apps as they do when downloading software or files to their computers.
“The Android team was made aware of a number of malicious applications published to Android Market,” Google said in a post on its mobile blog. “Within minutes of becoming aware, we identified and removed the malicious applications.” Google says it suspended the associated developer accounts and contacted law enforcement about the attack.
According to Google, the apps exploited known vulnerabilities that are only present in older versions of the Android operating system. Google says it thinks the apps that were downloaded didn’t gather much information, only the IMEI/IMSI—unique codes used to identify mobile devices—and the version of Android running on the mobile device. But it added that given the nature of the attacks, the apps could access other data, so Google remotely removed the malicious infected apps from devices that had downloaded them. It also released a security update to all affected devices that reversed the access the apps may have gained to prevent them from stealing any more information.
Owners of infected devices received e-mail notifying them of the incident and a message to their mobile device that “Android Market Security Tool March 2011” had been installed. Some also received messages that the apps had been removed. Impacted Android owners received a second e-mail within 24 hours after the app was removed and the security update installed.
Matt Bishop, a web and mobile web security expert and professor of computer science at the University of California at Davis, says a common way criminals release such infected apps is by copying the written program for a legitimate app, adding the malware, and then putting the revised app out for purchase with a different look and under a new name. That means mobile operating systems such as Apple’s iOS or Google’s Android need to have rigorous security checks in place to ensure an app is safe before making it available to consumers.
“The app developers themselves usually can’t do much about malware, because the malware is added later,” Bishop says. One thing they can do, however, is try and keep the app as closed as possible so that hackers never have a chance to copy the app, Bishop says. Closed here means keeping to a minimum the degree to which an app opens itself up to web sites or mobile networks. For example, adding Facebook integration to an app opens up a web channel to the social network. Retailers must weigh the value of Facebook integration with the need for security.
“App developers should be sure the app runs with the least amount of privileges it needs to get the job done,” Bishop says. “If the app doesn’t need to access the cellular network because it doesn’t need to use the network, the app should not have the rights to access that network. Think of it like a need-to-know basis. With apps, if the app doesn’t need access to a resource file or network, it should not have it.”