Last week, a shady Android app publisher took 21 popular free apps from the marketplace, injected root exploits into them, and re-uploaded them on to the app marketplace. “What’s a ‘root exploit?” you might ask? Basically, it’s as if someone staged a coup in your Android phone and instituted The Joker as the leader. Very bad things could happen.
Android Police asked one of their experts on what the true extent of the exploit was:
I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.
Guess the “openness” of the Android Market really can be a double-edged sword. I mean, a trojan that has the ability to download and install more code to run whenever it pleases? Yeesh. The worst part of it is that these infected apps were downloaded between 50,000 and 200,000 times in the span of just four days. That’s a lot of potentially devastated individuals.
Fortunately, Google became aware of this issue and issued a statement over the weekend on what actions it’s taken:
- We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
- We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
- We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from firstname.lastname@example.org over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
- We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
While it’s nice that Google has taken the appropriate steps to remove the exploit from affected devices without users having to do anything, the damage has already been done. Any personal information that was already sent back to the villains is already done. Apple may grab a lot of flak for having a gestapo-esque manner of running its App Store, but you can bet your sweet tushy that an exploit as blatant and malicious as this one would never have seen the light of day on it.
Google can tout “openness” all it wants as a selling point, but I doubt people would want this “freedom” at the cost of not feeling safe to use their devices. Let’s hope these “measures” they’ve taken are enough to prevent something like this from ever happening again.