On March 1, news broke that dozens of malicious applications had made their way to Android Market, each infected with a rootkit that could grant hackers deep access to Android devices that installed them. Google removed the malicious applications from Android Market within a few minutes of being notified, but has otherwise remained silent on the situation. Until now (at 10PM on a Saturday…)
Google has now confirmed that 58 malicious applications were uploaded to Android Market, and that they were downloaded onto around 260,000 devices before Google removed the apps Tuesday evening. That number sounds alarmingly high, but Google believes that only device-specific information, namely the phone’s IMEI number, was compromised — and that no personal data or account information was ever transferred. Given that these apps were getting root access, this could have been a lot worse. Now the cleanup begins.
Beginning tonight, Google is going to invoke a special ‘remote kill’ function that allows it to remove these malicious applications from any affected Android devices with no action required from the user. Google will also be issuing a fully automated Android Market security update to infected devices that should remove the rootkit (again, no user action will be required). All affected users will be receiving email notifications about the situation as well.
Unfortunately, while Google can remotely fix affected devices, it can’t automatically patch the security hole that made the exploit possible in the first place. That’s because the hole exists on the system level, so it requires a system upgrade to resolve — and it’s up to the carriers and hardware manufacturers to deploy the fix. Google is issuing a patch and informing its partners that it is urgent, but who knows how long it will take the carriers to push it to users.
As if to underscore this problem, Google says that the exploit was actually already fixed in recent versions of Android, and that it only affects version 2.2.1 and lower. Unfortunately the vast majority of Android devices are still running older versions of the OS because of the aforementioned sluggish carrier updates.
Beyond these software updates, Google says that it’s taking steps to try to prevent similar malicious apps from making it onto Android Market. But it’s being vague on the details:
We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
The whole situation is pretty alarming for Android users (and I’m sure the email alerts Google will be issuing are going to spur even more user angst). Google wins some points for removing the affected applications within minutes of being informed of their malicious intent. But the fact that it is unable to distribute system security updates is unnerving — Google can downplay Android’s fragmentation issue all it wants, but when user security is at stake, we shouldn’t have to rely on the carriers.
And it’s also obviously alarming that the applications were accepted onto Android Market in the first place. Google doesn’t screen applications manually (even Apple doesn’t actually have a reviewer look through every application’s code) but hopefully it can institute some automated tools to better screen malicious apps. Because if malware continues to creep into Market, users may become wary of downloading apps from developers they haven’t heard of, which would hurt the whole ecosystem.
Here’s the email that is being sent to affected Android users:
You are receiving this message to inform you of a critical issue affecting your Android Market account.
We recently discovered applications on Android Market that were designed to harm devices. These malicious applications (“malware”) have been removed from Android Market, and the corresponding developer accounts have been closed.
According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).
However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says “Android Market Security Tool March 2011” has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.
To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection.
For more details, please visit the Android Market Help Center.
The Android Market Team