Expert: Android Market should scan for malware

Android Market apps should be scanned for traces of malware to protect Android customers from downloading apps that look legitimate but are in fact malicious, a security expert told CNET today.

Earlier this week Google removed a bunch of malicious apps, most disguised as legitimate apps, from the Android Market after they were found to contain malware. The malware, dubbed DroidDream, uses two exploits to steal information such as phone ID and model, and to plant a back door on the phone that could be used to drop further malware on the device and take it over.

"At a minimum, they have to do signature-based scanning for known malware," said Chris Wysopal, chief technology officer at Veracode, an application security provider. "DroidDream is now a malware kit and it would be easy for people to make variations of it and insert it into new software."

But traditional signature-based antivirus software isn't good at detecting brand new malware or existing malware that has been modified enough to slip past the antivirus programs. To catch something like DroidDream then, behavioral-based antivirus scanning should also be used, according to Wysopal.

"Downloading and installing additional software onto the device outside of the app store is the kind of behavior that should be scanned for," he said.

A Google spokesman declined to comment beyond confirming that the company had removed some apps and disabled several developer accounts for violating Android Market policies.

Most if not all of the 55 or so apps that were pulled from the Android Market were repackaged versions of legitimate apps, said Kevin Mahaffey, chief technology officer at Lookout, which provides security software and services for Android, BlackBerry, and Windows. This means that even more cautious Android users could have been more easily duped into downloading one of the apps, he said. (Symantec has a list of some of the apps removed from the Android Market here.)

Depending on the handset used, Android versions may be patched by now, but others are not, he said. The vulnerabilities exploited by the malicious apps have been patched in Android 2.3, also known as Gingerbread, but older versions could still be vulnerable, according to Mahaffey.

It's not clear whether DroidDream did in fact download any software onto devices that installed any of the malicious apps. The command-and-control server the malware set up to communicate with the victim devices is offline now and "we haven't seen any evidence that the server was pushing apps to the devices," Mahaffey said.

It's also a mystery who is behind the malicious apps, but there's a possibility it's someone in China as the malware was also found on alternative Android marketplaces that target Chinese users, he said.

Cleanup can be a pain; in addition to removing the app, any additional software it may have hidden in the device must be wiped. Lookout can walk Android users who need help through the cleanup process, Mahaffey said.

The Android Market is flourishing, with the number of apps growing faster than the iPhone market, according to Lookout. Android also has greater overall market share of mobile operating systems in the U.S. (29 percent) than Apple's iOS and Blackberry (both 27 percent), Nielsen announced today.

Much of the success of the platform is due to the fact that the operating system is open-source and thus attracts a large number of developers. The openness of Android's platform fosters innovation, but leaves much of the responsibility for security on the shoulders of Android customers, experts say. (More details on the different security models between Android and iPhone is here.)

In one analogy Wysopal has come across, the iPhone environment has been likened to Disney World and Android to New York City. You might not have as much freedom and choice at Disney World, but you probably feel safer.

"How are people who don't read CNET supposed to know that they need to do something on their phone to bring it back to its factory state because it's been compromised" by a malicious app, Wysopal said. Apple could send a warning out to all iPhone users if it needed to but that can't happen on the Android because of all the different flavors of the operating system running on the different handsets, he said.

This may be the first time Google has removed malicious apps from the Android Market, but it's not the first time apps have been pulled. Last year two proof-of-concept apps designed to test how easy it would be to distribute an innocuous program that could later be made malicious were removed. Later in the year Google pulled another app the same researcher created to illustrate a flaw in the mobile framework that allowed apps to be installed without a user's knowledge. That hole also was plugged.