The Android Market incident that surfaced Wednesday in which Google was forced to pull more than 20 apps that had been Trojaned is the latest piece of evidence that the mobile app store model is broken and is setting users up for failure.
The details of the Android Market episode should be familiar by now. A handful of publishers in the market recently published several dozen apps that had been loaded with a piece of malware called DroidDream, which is capable of all kinds of nastiness. Among other things, the Trojan can grab a laundry list of information about the infected device and upload it to a remote server and also can download further malicious code, all in the background and without any interaction from the user.
This is hardly the first time that malware-infected apps have been found in a mobile app store, and there have been many examples of benign apps that researchers have uploaded to app stores that were proof of concept exercises that could have performed malicious actions. And Google has responded by removing the most recent batch of malicious apps from the Android Market and has the ability to remotely remove the apps themselves from devices.
However, as Chris Wysopal of Veracode points out, wiping the apps from the phones doesn’t address the real problem, which is the persistent malware infection.
“The mobile devices are already compromised as the malware took
advantage of kernel vulnerabilities to root the devices and download
more malware that didn’t come through the app store. Anyone who ran the
malicious apps now has a compromised device running software with root
permissions that Google cannot wipe,” Wysopal wrote in a blog post.
“The exact same thing could happen tomorrow even though we know what
Android kernel exploit code was used and there are new versions of
Android that fix these issues. This is because many Android phones
cannot be updated to the new versions of Android, 2.2.2 and 2.3, that
fix the root holes. Many Android phone providers have customized their
versions of Android so up to half of Android phones running 2.0, 2.1,
2.2 are sitting ducks to the same problem tomorrow.”
Some of the same pieces that enabled this attack to take place on the Android Market also are in place in other app stores, such as the iTunes App Store. The lack of code review of new apps makes it relatively simple for attackers to get malicious apps into these repositories, and the implicit level of trust that users have in the app stores amplifies the effect.
The Android Market attack appears to have succeeded to a large degree, as somewhere north of 50,000 Android owners apparently downloaded at least one of the Trojaned apps. What the attackers plan or planned to do with those infected devices isn’t clear, but what is clear is that this kind of operation is the coming thing. Attackers know it, researchers know it and now users know it.