Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place:

  • Little to no vetting of apps for malicious behavior before being made available from app stores
  • Android kernel code with known privilege escalation vulnerabilities and no way for many mobile users to patch their devices
  • Attacker motivation in the form of big numbers of vulnerable devices and several proven ways to monetize their attacks: premium SMS/dialing, in app purchases, and ad click fraud

The malicious apps that were pulled were legitimate apps that were pirated, modified by the attackers, and republished. To downloaders of these apps they behaved and looked like well-functioning apps. There was no reason for these users to rate these apps poorly in the Android Marketplace’s reputation system or to leave comments that the apps were suspicious. This shows that reputation systems are a poor method of ensuring an app store is free of malware.

To Google’s credit they did remove the apps and have, or will, wipe the apps from users’ devices but this is too little, too late. The mobile devices are already compromised as the malware took advantage of kernel vulnerabilities to root the devices and download more malware that didn’t come through the app store. Anyone who ran the malicious apps now has a compromised device running software with root permissions that Google cannot wipe.

The exact same thing could happen tomorrow even though we know what Android kernel exploit code was used and there are new versions of Android that fix these issues. This is because many Android phones cannot be updated to the new versions of Android, 2.2.2 and 2.3, that fix the root holes. Many Android phone providers have customized their versions of Android so up to half of Android phones running 2.0, 2.1, 2.2 are sitting ducks to the same problem tomorrow.

There are 2 problems that need fixing because we can’t fix the attacker motivation piece of the puzzle:

  • App stores need to get serious about vetting code before it is available for customer download. The halo effect of the app store distribution channel combined with the fact that many apps are from developers no one has ever heard of, and the failure of the reputation model of policing means that vetting apps is the only way to lessen malware in the app store.
  • Kernel flaws need to be fixed promptly and pushed out to all devices. Devices stuck with gaping kernel holes for years is just not acceptable for a consumer platform

A viable mobile malware ecosystem has been proven today. 50,000 to 200,000 devices could be under the control of one attacker to do his bidding. His malware was downloaded that often over a 4 day period. In the biggest malware ecosystem, the Windows PC, a botnet of 50,000 to 200,000 devices is considered an attacker success. As sales of mobile devices overtake those of PCs we should not let an even bigger malware ecosystem thrive on this new platform. The time is ripe to clamp down on this out of control environment.

Veracode Security Solutions
Veracode Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Rob Lewis | March 3, 2011 8:16 am

A day in the life or a "What! We need security?" moment.

I remember chatting with a Google VP at a con in the last quarter of 2008 when Android was very early stage. We introduced ourselves as developers of a high assurance wrapper technology that was an especially a good fit with Linux OSs and that could prevent the scenario you describe. Of course it was all under control, according to him. Right.

Very nice post though.

Steven Klein | March 8, 2011 8:42 am

"App stores need to get serious about vetting code…"

Apple been doing that since day one, and they've been roundly criticized for the practice.

Owners of iOS devices—iPhones, iPod touches, and iPads—don't need to worry about these things.

(And no, I don't own an iPhone.)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.