It appears that the shit just hit the fan as far as malware for Android is concerned. Redditor lompolo has found that someone has taken 21 popular free apps from the market, injected root exploits into them and republished. What makes it even more alarming is that those apps have accounted for a total of 50k-200k downloads in just 4 days.
The good news is that Google pulled the apps within 5 minutes of being made aware of it. Android Police, based on their own investigation, suggests that the compromised apps have the ability to download even more code, making their potential to do harm virtually limitless.
Here’s the explanation:
Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.
Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the “rageagainstthecage” root exploit – binary contains string “CVE-2010-EASY Android local root exploit (C) 2010 by 743C”. Don’t know what the apps actually do, but can’t be good.
I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.
EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://126.96.36.199:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.
The offending apps from publisher Myournet:
- Falling Down
- Super Guitar Solo
- Super History Eraser
- Photo Editor
- Super Ringtone Maker
- Super Sex Positions
- Hot Sexy Videos
- Hilton Sex Sound
- Screaming Sexy Japanese Girls
- Falling Ball Dodge
- Scientific Calculator
- Dice Roller
- Advanced Currency Converter
- App Uninstaller
- Funny Paint
- Spider Man
Looks like you can’t be too sure even when you are downloading apps directly from the Android Market. It will be interesting to see if Google now starts to implement some sort of screening process to prevent such incidents in the future. Head over to Android Police for more details.