Google has remotely removed two free apps from several hundred Android phones because the apps misrepresented their purpose and thus violated Android developer policies, according to a company spokesman.
This marks the first time Google has used the Remote Application Removal Feature that allows the company to delete apps for security reasons that have been installed through Android Market.
The apps were proof-of-concept programs designed to test the feasibility of distributing a program that could later be used to take control of the device in an attack, according to Jon Oberheide, the developer who wrote and distributed them.
The one app--called RootStrap--executed code that merely printed a message on the phone that says "Hello World," while the second app did the exact same thing but was disguised as a preview of the "Twilight Saga: Eclipse" movie, he said in an interview with CNET on Friday. There were about 50 downloads of the RootStrap app and 250 to 350 of the Twilight app, though some people later uninstalled them, he said.
Oberheide has developed a program that could be used to bootstrap a rootkit, effectively allowing someone to remotely take control of a phone by having an app already installed on it phone home to fetch code that could exploit a vulnerability on the device, he said.
"An attacker who develops legitimate-looking apps and distributes them on the Android Market could gather a large install base and if there was a vulnerability within the Android operating system or Linux (upon which Android is based) the attacker can phone home to see if there is an exploit to download and push it out to all the phones he controls and take complete control of the phone via the kernel," said Oberheide, who works at a security start up called Scio Security.
Oberheide removed the apps voluntarily from the Android Market after being asked to by Google, he said.
The apps "were not designed to be used maliciously, and did not have permission to access private data--or system resources" beyond accessing the Internet, Rich Cannings, Android Security Lead, wrote in a blog post.
Under the Android Market Content Policy for Developers, "developers should not upload or otherwise make available applications...(that offer) misleading information about an application's purpose."
Updated 4:41 p.m. PDT with comment from researcher who developed the apps.
Correction 3:30 p.m. PDT: This story initially misstated who wrote the Android Developers blog post. It was Rich Cannings.