The folks over at Android Police published details yesterday of what they describe as “the mother of all Android malware” that was initially spotted by reddit contributor lompolo.
Lompolo posted details of 21 Android apps which were repackaged version of legitimate apps, at current count now more than 50 malicious apps appear to be involved. The repackaged versions include the rageagainstthecage or the exploid exploit which is capable of gaining root access to the device. Not only do these trojanised apps steal device details such as IMEI and IMSI but they also install further hidden malware which siphons even more user information off the device and into the hands of criminals. Further research from Android Police reports that this second payload also contains a dropper capable of downloading further code.
In a response to the intial posting by lompolo one of the developers of the legitimate apps that have been hijacked commented:
“I’m the developer of the original Guitar Solo Lite. I noticed the rogue app a bit more than a week ago (I was receiving crash reports sent from the pirated version of the app). I notified Google about this through all the channels I could think of: DCMA notice, malicious app reporting, Android Market Help…they have yet to respond. Thankfully this was posted on Reddit, since after the post the rogue dev and all his apps have been removed from the market. There really should be a faster/easier way to get Google to act on it!”
Trend Micro detect this threat (popularly known as DroidDream) as ANDROIDOS_LOTOOR.A, further details in the link.
During the five days these apps were available an estimated 50,000 downloads have taken place. Google have now pulled the apps and blocked the rogue developer from Android marketplace, they have also remotely removed the apps from affected handsets. Of course this remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection. So if you are one of the estimated 50,000 people who have downloaded these malicious apps it could be worth your while investigating the possibility of getting a replacement handset or reinstalling the operating system on the one you have if possible.
The Android app ecosystem is by definition open, there is a wide array of app stores available and apps can be published to the user community in minutes. This greater openness of the developer environment has been argued to foster an atmosphere of creativity, but as Facebook have already discovered it is also a very attractive criminal playground.
It is worth remembering that full security suites are now available for Google Android, such as this one. The number of threats to mobile platforms is growing and growing at a steady rate. Of course the sheer volume of mobile malware is a long way from the epidemic proportions of Windows based malware, but criminal interest is clearly there and growing. We see multi-platform attacks distributed by the same criminal groups that traditionally have focused on Wintel systems, and the growth in complexity of threats, for example ZeuS malware now incorporating mobile elements aimed at intercepting SMS banking authentication codes is striking. Criminals are driven by consumer behaviour and as the money-making opportunities move to mobile platforms criminals will, in fact already are, following.
A full list of the trojanised apps, published by Myournet, is:
- Falling Down
- Super Guitar Solo
- Super History Eraser
- Photo Editor
- Super Ringtone Maker
- Super Sex Positions
- Hot Sexy Videos
- Hilton Sex Sound
- Screaming Sexy Japanese Girls
- Falling Ball Dodge
- Scientific Calculator
- Dice Roller
- Advanced Currency Converter
- App Uninstaller
- Funny Paint
- Spider Man
The Guardian have published an expanded list of apps believed to be trojanised in this way here.