An Update on Android Market Security

Saturday, March 5, 2011 | 10:08 PM

On Tuesday evening, the Android team was made aware of a number of malicious applications published to Android Market. Within minutes of becoming aware, we identified and removed the malicious applications. The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher. For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data, which is why we’ve taken a number of steps to protect those who downloaded a malicious application:

  1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
  2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
  3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
  4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

For more details, please visit the Android Market Help Center. We always encourage you to check the list of permissions when installing an application from Android Market. Security is a priority for the Android team, and we’re committed to building new safeguards to help prevent these kinds of attacks from happening in the future.


Rich Cannings, Android Security Lead

52 comments:

baloor said...

For devices vulnerable but unaffected currently you list no resolution.

You will be automating the install of the Android Market Security Tool March 2011 for those impacted by the problem. However, will you be prompting or notifying users vulnerable but unaffected?

Mohan V said...

I am Google fanboy.. I myself am wondering if you guys are letting your guard down a lot now days.. first the Gmail glitch.. then the Android Market glitch.. you guys need to seriously focus on fixing issues rather than touting your achievements. Sorry to be blunt but medicine is not very sweet to take.

Wombo said...

It is very very diffucult to totally eliminate all security holes in any product (Unless it only says 'Hello World'). It is good to see the proactive approach to eliminate the problem as soon as reasonably practical.

PucKo said...

Within minutes of becoming aware, we identified and removed the malicious applications.

This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.

According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.

I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.

mehdi said...

I am curious. Where can we find more details bout those vulnerabilities ?

Matthew said...

I'd like to see any other company respond in such a timely manner.

JD-Salinger said...

awww... I think this is another downside of android fragmentations. units who can't upgrade their current android os from older versions is at risk

Rich said...

@PucKo -

That is one of the grievances of the Android Developers Union (AnDevUni.org)

sathya said...

These actions are too little too late! No need to tout about how soon Android team responded to a tip, but I would rather ask what was Android team thinking since it fixed the exploit in 2.2.2 and didn't bother to fix millions of other phones still vulnerable and mostly never see the update?

Pronoun said...

So Google has the power to remove something off my phone without user permission? This was a case where it was malicious code, so it doesn't seem that bad. Also, do they have this power on a rooted phone?

sathya said...

@Pronoun, have you read the fine prints from Android Market license agreement? Android team has permission to remotely delete any malicious app on our devices whether rooted or not! Rooting only gives us more control over our devices and not necessarily take away any permissions from Google.

Pronoun said...

@sathya Can they remove apps that are side-loaded or just Android Market apps? Like I said, in this case it is a good thing, but I don't like the idea of anyone but me controlling the apps on my phone. There should be an opt-out or just inform the people that bought the offending app and instruct them to remove the apps safely.

deblike said...

I don't like anybody to manipulate MY device, name it Google or anonymous attaker, either with a malicious app or a security app. It always means somebody else than you has access to your stuff.
Google should provide means to avoid this to happening, instead of "proactively" use it.

Bad Google! Bad boy!

Christopher said...

I find it interesting that Google has the power to remove applications remotely from my phone. While I approve this approach, I'm also curious as to why these rogue apps appeared on the Marketplace at all. Apple is going to have a field day with this story - we must tighten up security on the Android Marketplace.

mwgriffin said...

I'm glad to hear that google has taken actions to eliminate the malware that was found. However I do have two major concerns. First of all I think google needs to put into place preventative measures so that malware cannot find a home on the android market in the first place. I don't think that having a tighter grip on the android market would harm your reputation, in fact it would most likely do the oposite as people would feel safe downloading random applications. I don't think any of you want android to be associated with malware or having users have to pay for security software. Secondly you need to do one of two things in regards to fragmentation: take complete control over updates being pushed to phones, or force manufacturers and carriers to get them out within amreasonable time frame. You cannot let the fragmentation occuring continue. It is simply unacceptable. Not only from a security stand point, but also from the standpoint of easing development for developers and ensuring users have all of the feature their handsets can support. You should either implimet these changes now and increase android's dominance or watch as people gravitate towards mobile operating systems where they know that they will be secure and not left in obsolecence. I really love android and I want to see it grow, mature, and dominate the mobile ecosystem. Please listen to your users who are demanding action and want change! Thank you for your time,

A concerned android user

Mr. Le President said...

Ok, Guys, We need to help Google deal with this problem.

This is our platform, and so we needt o protect it as a community.

1. is there anywhere Google can show a list of all applications that are free submitted to the platform. We developers can download them and check each one. I really do not want to see the Android Market becoming the App Store.

2. Can we make apps from new and unknown developers take at least 1 week to appear in the Market while we check them out?

3. Can Google make sure that every dev who submits an app is throughly verified to make sure they know his Address, Phone number, and Credit card?

Stuff like that combined with a strong community support, might go a long way to protect us, and the platform.

I love Android and Android is the future. Let's guard it against the evils.

www.niravmanish.com said...

And you guys take a shot on Apple for its being too closed. You know they are closed for a good reason, security. Have you heard any malicious app has done something like this on iPhone? Yes, there have rejected a lot of apps, but thank God, they have protected their users from such a calamity like yours.

Tom Legrady said...

Apps should run in an unbreakable sandox; they should be capable of downloading data, not apps.

There's the related problem of apps which have uploaded information about the user. I presume these do so to sell user info to advertisers.

It is not sufficient to permit an app access to certain functions; the functionality needs to be further restricted by type, by time and condition, and needs to specify further use.

For example, a Sudoku game has no need to upload or download any data, unless it is to synchronize a leaders board. Permission to upload high scores and download leaders should specify what data is shared, and what use will be made of the data.

A program to warn other drivers of radar traps needs to send it's current GPS location, perhaps once a minute, when the app is running, and nothing, at any other time. In response to the current location, the server will respond with the locations of speed radar operations within a certain radius. Any further use of the data should be anonymized: the company might sell the information that X number of users pass some location every day, but it is unacceptable to map the movements of particular users.

The Android platform should log communications, generating reports about how much information, how frequently, each app communicated while it was running, while it was not running, while the system was supposedly sleeping, with optional breakdown by time-periods, with alert highlighting of communications in violation of the contract specified at installation time.

Tom Legrady

EricLarson said...

kudos!

about time, google!
:)

-eric
http://www.AllSanDiegoComputerRepair.com

Rates IT said...

Surprised no one here seems to have bothered SEARCHING for the Android Market Security Tool March 2011 app mentioned in this blog post... anyways here it is => https://market.android.com/details?id=com.android.vending.sectool.v1

Looks like it's installable for anyone. Now quit whining! Good of Google to properly respond, but ideally action should've been taken sooner.

Phrodo said...

Regarding point 4 of your statement and, as an Android user, i'm extremely concerned about this incident:

1.- What measures are being implemented in order to prevent this event happening again?.

2.- What kind of control, or monitoring, exists on Android market in order to prevent malicious apps being uploaded?

3.- Is Android market a free-for-all uploading market?, i mean, does anyone, without any verification by Google, can upload an application?. We don't want Apple's obsessive control but having a market without any kind of monitoring is worse, much much worse.

I think Google has a responsibility to ensure to the users of its platform that applications for it within the Android market do not pose any danger.

mail said...

@Matthew

I'd like to see any other company respond in such a timely manner

Are you mad?! This wasn't dealt with in a timely manner at all. As others have said people were trying to raise the alarm about this for some time before the story broke but Google wouldn't listen.

I'm sorry to say it but Apple have the right idea here. Unaudited code simply can't be allowed on platforms where malware checkers can't be deployed.

And another thing - The remove app 'killswitch' removal feature - That's just scary. If deemed malicious by Google they can remotely delete the app from my device and I just get a notification saying it's happened. Does anyone else see a couple of problems with this? What happens if someone hijacks this and declares every single app invalid? Everyone's devices get wiped? Great!

And I wonder what other back doors Google have built in to my device. What else can they do on my device without my consent?

Davros62 said...

@Mail
A correction is in order here to a popular misconception.

The initial notifications to Google were complaints about pirated clones of apps from the developers, not reports of security issues. Many devs have indeed complained about the time it takes for pirated apps to be verified and removed.

Howevever the report on the security issue from the Reddit guys to the Android security response team using the proper email notification process (not an informal communication to a 'guy they know at Google' at all)
was actioned immediately.

There is certainly an argument that the two processes coud benefit from some integration. Piracy reports should certainly be examined for security implications.

Also, Apple do not audit source code for iPhone apps , they review the compiled apps for style and behavior. Hidden code has got onto the app sore several times, despite Apple, and will again.

Lastly, other devices have a remote kill switch and have used it, including the iPhone.

Robert M. Enger said...

The remote removal tool can become a curse too. Lots of pundits claim that social media and mobile devices are key enablers of social uprising (eg what we saw in Egypt).

The Egyptian government is not all that tech savvy. Their reaction to the threat from technology was to shut down the Internet and mobile services; a two edged sword also causing economic damage.

Some countries are more sophisticated. They can levarage the Google remote control feature to selectively remove apps that may facilitate opposition. We should not have any illusions: Google WILL toe the line if the request comes from a western power (notably the US).

Peter said...

Is it known the title these dangerous apps are known by, so that they can be removed by the user?

Gerhard said...

What do you do about all the other apps that are copies of well known programs but are either buy-ware ore do need more permissions (i.e. Internet)?
Example: I've marked these two copies on the phone as "not appropriete" weeks ago:
Chess King
and Droidfish.
They're both copies of the popular game DroidFish Chess

Lars said...

Let's please not turn the Android store into another Apple AppStore.
Freedom implies less control, and hence more self-reliance.

That this could happen is good. It shows that the market is open.

I am more worried about Google being able to remotely alter my phone without my intervention.

Also remember that these apps exploited old security vulnerabilities that are long fixed.

Now, this is not to say we shouldn't get more tools to make better judgments. For example I'd like better control over the permissions of an app.

disasterpastor45A said...

Tens of thousands of us have been posting problems at YouTube Help for years and getting no answer. Everyday there is a new breakdown and dozens of posts about each one and previous problems and they are never answered properly. Google owns YouTube so we're talking http://www.google.com/support/forum/p/youtube?hl=en

I'm sure this lack of User Technical Support violates their DMCA Safe Harbor protection that saved them in a lawsuit against Viacom recently.

Paul Selormey said...

>> Rich Cannings, Android Security Lead
So, there is a security team and you are the lead? Sounds like a joke.

And Google is pushing for NFC on phones whose security is not guaranteed? Another joke.

Take the necessary steps to prevent developers from selling malicious applications on a market, which you created and can control - is this difficult to understand? This is different from downloading applications on the internet. Even internet download sites now certify applications to be free of malware. If you cannot handle just stop and let others like Amazon.com handle it.

It is that simple, stop selling the malicious applications to us - phones are closer to us than the PC, get it somebody!

ggravier said...

While I appreciate Google removing malicious software from my device, I am not sure that I like the idea that Google can unilaterally decide to remove stuff from my phone. If I installed it, I would at least want to be asked if I accept somebody else removing it...

nISHi said...

I agree completely with @Mr. Le President. Android is the future and we need to protect it from the evil. . .

Vatanak said...

I'm thinking about the possibility of the malicious Android applications, is it possible that Google make it up for popularity how good their os is. Be able to take care their customers, quick respond to the problem and present the solution. Is there any trick behind the scene or it truly happened. I might be wrong.

shree said...

well comparing iphone with an open source platform is ridiculous .. 1.The droiddream is just a beginning .. Its an indication that app store is not far away from getting affected ..

2. Android is their first target because of their increasing popularity .

3. If app store is affected as android market i am sure they wouldn't respond to it in this neat manner ...

Rob said...

@Wombo: Of course, you could create an App Store that requires that developers submit their code for review and then be able to catch garbage like this before it's released to the public...

Oh wait, there is one...

Wayne said...

The reason Google didn't act on this earlier may be it wants to test the water and see if it can apply Microsoft-like tactics too?

Accountability.

merrickg said...

As an owner of an HTC Legend (Android 2.1) that my carrier has decided to abandon, I am unable to get any additional security fixes unless they push it.

I would really like Google to re-unify the OS allowing the end user who own the handset to be able to update the devices to make them secure or to upgrade to the latest version without the intervention of the manufacturer or the carrier.

Chris said...

You guys are too slow - everybody was yelling "malicious applications", for how long, about a week, while there was dead silence from Google.

Don said...

So, when do we get 2.2.2 on the Captivate?

Dennis said...

You will be automating the install of the Android Market Security Tool March 2011 for those impacted by the problem. However, will you be prompting or notifying users vulnerable but unaffected?

Dennis Goms
Gotcha Covered Collections

Don Raymer said...

Too slow is right.

laurel said...

Right on, Tom Legrady!

PK said...

Malware, problems on a Linux based platform lol. I bet Microsoft is laughing their @ss off.

shree said...

@PK

u saying linux doesnt have vulnerabilities ?? .... it exists everywhere ... even linux has defects in them ..thing is hackers r nt smart enough to identify the architechture properly

Srikanth said...

All are blabbering now about google controlling your devices. Dont you people remember the Market application was upgraded without your knowledge. Now, since the issue came up all started commenting. If you were unaware that google can install apps on your devices without your permission, then you dont care what happens, you are just over reacting. Know your device first..

MacCooler said...

Who do you people think you are? You have NO business deleting ANYTHING off my phone. Once again Google proves IT CAN NOT BE TRUSTED. Wake up people.

Google = Amazon = Evil

How can you people NOT be upset that Google the LEAST trusted company on the planet can do whatever it wants ON YOUR phone? Are you insane?

As for Srikanth, what planet are you on? Not everyone is a loser like you: living online, onphone, and alone.

wy said...

Ya, how can the app be deleted remotely without the owner consent? What about the data?

maria said...

I applaud google for the swift action. Mobile platforms are relatively immature, and it *is* going to happen. Apple isn't immune with 2 processor viruses and viruses detected on their market since 2008. The only problem I have is that I received the security update e-mail, but have manually removed the malicious apps myself *and* installed 2.3.3 which is not vulnerable.

Jurnal Parkour said...

Nice Info...

Mohit said...

hey guys, what do you think that removing any application by google remotely will pose a treat to users privacy and security. We know this is done to remove the malwares but this shows that google have powers to install any application to your mobile remotely and how can be sure that this will not be misused.

Beside removing it automatically, why they can't provide a patch kind of think to install and remove the malware apps manualy. Similar way Apple does.

Share your views.....

shree said...

@mohit

that may be because google's aim is to make every1 using their software secured ... so if u keep a patch kind of thing some users may not necessarily download it .. It may lead them unsecured .

Muhammad Azeem said...

This is a nice article..
Its very easy to understand ..
And this article is using to learn something about it..

c#, dot.net, php tutorial

Thanks a lot..!

akira_ag said...

I very like Google Android, Google services! But there are some troubles that can some customers alienate from Android.
I've published small presentation where you can find very simple ideas and I hope it's help to Google and ofc to all us.

https://docs.google.com/present/view?id=dgf4f36d_68gcdx9x79&interval=60

Maybe this is wrong place for this message, but I don't find any other better. Thank you!