Malicious apps removed from Android Market

Mobile security firm Lookout reports that about two dozen apps were found to contain malware. Google has not yet commented.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Google has removed from the official Android Market about two dozen apps found to contain malware that can compromise data, mobile security firm Lookout is warning.

Between 30,000 and 120,000 Android devices may have been affected, Lookout said.

"This weekend, multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data," the company said in a blog post late last night. "Likely created by the same developers who brought DroidDream to market back in March, more than 25 applications were found to be infected with a stripped down version of DroidDream we're calling 'Droid Dream Light' (DDLight)."

Google removed 58 malicious apps from the market in March and remotely removed the apps from the devices they'd been downloaded to.

Google representatives did not immediately respond to e-mails seeking comment early today.

The problem was reported to Lookout by a developer who found that modified versions of his app and another developer's app were being distributed in the Android Market. Lookout confirmed that malicious code was inserted into the apps and identified markers that linked the code with DroidDream samples.

"We discovered 24 additional apps re-packaged and re-distributed with the malicious payload across a total of 4 different developer accounts," Lookout said.

Apps containing DDLight have been available for download from the official Android Market. Anyone who has downloaded the apps listed below may be affected. If you have downloaded these apps, contact support@mylookout.com for help in removing them.

The list of infected applications includes:

Magic Photo Studio
• Sexy Girls: Hot Japanese
• Sexy Legs
• HOT Girls 4
• Beauty Breasts
• Sex Sound
• Sex Sound: Japanese
• HOT Girls 1
• HOT Girls 2
• HOT Girls 3

Mango Studio
• Floating Image Free
• System Monitor
• Super StopWatch and Timer
• System Info Manager

E.T. Team
• Call End Vibrate

• Quick Photo Grid
• Delete Contacts
• Quick Uninstaller
• Contact Master
• Brightness Settings
• Volume Manager
• Super Photo Enhance
• Super Color Flashlight
• Paint Master

Because malicious components of DDLight are invoked on receipt of a android.intent.action.PHONE_STATE intent (for example, an incoming voice call), DDLight is not dependent on manual launch of the installed application to trigger its behavior, Lookout said.

"The broadcast receiver immediately launches the .lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages," the company said. "It appears that the DDLight is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention."

Lookout users are already protected. According to Lookout, all Android users should:

• Download apps only from trusted sources and reputable app markets. Examine the developer name, reviews, and star ratings.

• Always check the permissions that an app requests. Make sure the permissions an app requests match the app's features.

• Be alert for abnormal behavior on your phone that could signal an infection, such as unusual SMS or network activity.

• Use a mobile security app that scans every app you download.