Google Android rooted, backdoored, infected.

Android Attack

Image from MJ/TR Flickr under Creative Commons

The folks over at Android Police published details yesterday of what they describe as “the mother of all Android malware” that was initially spotted by reddit contributor lompolo.
Lompolo posted details of 21 Android apps which were repackaged version of legitimate apps, at current count now more than 50 malicious apps appear to be involved. The repackaged versions include the rageagainstthecage or the exploid exploit which is capable of gaining root access to the device. Not only do these trojanised apps steal device details such as IMEI and IMSI but they also install further hidden malware which siphons even more user information off the device and into the hands of criminals. Further research from Android Police reports that this second payload also contains a dropper capable of downloading further code.
In a response to the intial posting by lompolo one of the developers of the legitimate apps that have been hijacked commented:

I’m the developer of the original Guitar Solo Lite. I noticed the rogue app a bit more than a week ago (I was receiving crash reports sent from the pirated version of the app). I notified Google about this through all the channels I could think of: DCMA notice, malicious app reporting, Android Market Help…they have yet to respond. Thankfully this was posted on Reddit, since after the post the rogue dev and all his apps have been removed from the market. There really should be a faster/easier way to get Google to act on it!”

Trend Micro detect this threat (popularly known as DroidDream) as ANDROIDOS_LOTOOR.A, further details in the link.
During the five days these apps were available an estimated 50,000 downloads have taken place. Google have now pulled the apps and blocked the rogue developer from Android marketplace, they have also remotely removed the apps from affected handsets. Of course this remote kill switch will not remove any other code that may have been dropped onto the device as a result of the initial infection. So if you are one of the estimated 50,000 people who have downloaded these malicious apps it could be worth your while investigating the possibility of getting a replacement handset or reinstalling the operating system on the one you have if possible.
The Android app ecosystem is by definition open, there is a wide array of app stores available and apps can be published to the user community in minutes. This greater openness of the developer environment has been argued to foster an atmosphere of creativity, but as Facebook have already discovered it is also a very attractive criminal playground.
It is worth remembering that full security suites are now available for Google Android, such as this one. The number of threats to mobile platforms is growing and growing at a steady rate. Of course the sheer volume of mobile malware  is a long way from the epidemic proportions of Windows based malware, but criminal interest is clearly there and growing. We see multi-platform attacks distributed by the same criminal groups that traditionally have focused on Wintel systems, and the growth in complexity of threats, for example ZeuS malware now incorporating mobile elements aimed at intercepting SMS banking authentication codes is striking. Criminals are driven by consumer behaviour and as the money-making opportunities move to mobile platforms criminals will, in fact already are, following.
A full list of the trojanised apps, published by Myournet, is:

  • Falling Down
  • Super Guitar Solo
  • Super History Eraser
  • Photo Editor
  • Super Ringtone Maker
  • Super Sex Positions
  • Hot Sexy Videos
  • Chess
  • 下坠滚球_Falldown
  • Hilton Sex Sound
  • Screaming Sexy Japanese Girls
  • Falling Ball Dodge
  • Scientific Calculator
  • Dice Roller
  • 躲避弹球
  • Advanced Currency Converter
  • App Uninstaller
  • 几何战机_PewPew
  • Funny Paint
  • Spider Man
  • 蜘蛛侠

The Guardian have published an expanded list of apps believed to be trojanised in this way here.

18 thoughts on “Google Android rooted, backdoored, infected.

  1. Pingback: Links From The Android vs. Apple iOS Security Showdown Presentation | Mobile Device Security

  2. Pingback: 15 top Best Google Android applications for beginners | Android App Store

  3. Pingback: Android hit by rogue app malware

  4. Ryan Boney

    How can I tell if my ego has been hit by the virus cause all its sudden my phone won’t stream any media through the default players noir will it download any movies

  5. Pingback: Android: Se encuentra el primer virus a gran escala en más de 50 aplicaciones — Bitelia

  6. Pingback: Trojanized Apps Root Android Devices | Simply Security

  7. Binta Fulani

    Dear Sirs, I installed your anti-virus program about two months ago. But about two weeks ago, Internet Defender informs me that I have been invected by 18 viruses. So, I bought a second anti-virus program from Norton. To avoid a confict, I try to delete Trend Micro. It deletes up to 13% and hands. I can run Norton anyway, but my computer runs very slowly. Could there be that there is a conflict. Can you delete Trend Micro from the other side of the Internet? Please help me.

    Sincerely, Binta

    1. Rik Ferguson Post author

      Hi Binta “Internet Defender” sounds suspiciously like scareware, a fake antivirus that tries to scare you with untrue messages that you are infected with non-existent malware. It is inadvisable to run two different anti-malware programs at the same time, so I would advise uninstalling Norton and heading over to to try and remove the scareware.

  8. Pingback: Trend Micro Asia Pacific News Library - Trojanized Apps Root Android Devices

  9. Pingback: Trojanized Apps Root Android Devices

  10. Pingback: Trojanized Apps Root Android Devices | Alpine-Hi-Tech, Mobile Computer Repair & Ink and Toner

  11. Pingback: Trojanized Apps Root Android Devices | Malware Blog | Trend Micro

  12. Fin

    PS. I am happy to do the re-format thing suggested – but would be sad to lose my photographs and videos. Not sure what is safe and what is in danger. Not sure where to go for step-by-step advice for someone who has downloaded an infected App. (I do feel like a bit of a twit for having downloaded the game.)

  13. Fin

    I downloaded “Spider Man”. Clicking on the Market icon – it no longer appears under “My Apps”. However, if I go to settings, it does appear under downloaded applications. Indeed, it was running and I clicked “Force Stop”. Have switched off phone until I can call the mobile operator tomorrow morning in case they would find the “cache” information useful.
    My greatest concern is a criminal knowing my Google password and having downloaded my emails or something. (I have just changed my Google Password using my desktop computer.) I do not think I will be downloading future Apps, at least, not games, for a while.

  14. Pingback: Android hit by rogue app viruses « The Joe Lake Blog The Joe Lake Blog

  15. Pingback: Android hit by rogue app viruses |

  16. Pingback: Android hit by rogue app viruses

  17. Pingback: Trend Micro Asia Pacific News Library - Google Android rooted, backdoored, infected

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.