The Android Police blog is reporting that not only has some nasty malware been released into the Android market, but that it has been downloaded by 50-200 thousand users, all of which may have had their device completely compromised. The attack came in the form of dozens of popular free apps that contained a plethora of nasty tricks. The apps were actually re-packaged free apps from different publishers, presumably to maximize the chance it would be downloaded and minimize the work the ne’er-do-wells would need to spend making their own apps.
Reddit user lompolo made the discovery, writing:
I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.
Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the “rageagainstthecage” root exploit – binary contains string “CVE-2010-EASY Android local root exploit (C) 2010 by 743C”. Don’t know what the apps actually do, but can’t be good.
Now, I’m no big city computer programmer with book-learnin’ to back me up; I rely on other, smarter people on the Internet to let me know what the dangers are. The Android Police took a look at the code themselves and made the following, frightening conclusions:
I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.
Thankfully, after Google was alerted to the exploit they not only removed the apps from the market place, but removed the publisher as well and remote-killed the apps on users phone. But, according to Android Police, “unfortunately, that doesn’t remove any code that’s already been backdoored in.”
From my admittedly ignorant position, it looks like the open nature of the Android market is both the cause and the solution. The open nature of the market allowed for the creation and relatively easy dissemination of these tainted apps, but also allowed vigilant users like lompolo to make the discovery and break it to the world. That’s little consolation for the thousands that have been affected by this scam, but it’s a relief to see some natural checks and balances appearing in the fledgling Android app community.
However, many commenters — including the developer of the legitimate apps that were ripped off — have criticized Google for taking so long to react. Apparently, they were informed of the rogue apps over a week ago, and only acted once the full gravity of the situation was revealed. Google will need to work on that if they’re serious about keeping their market open as well as safe for users.