Android Market malware scare: Google nukes 21 Trojan apps

Is the sky falling in on Google's Android Market? It was marketing 21 Trojans apps yesterday. Google didn't react to developers' complaints until the issue got popular on Reddit. Could it happen on the iOS App Store, or is Apple's lockdown too tight?

Apps released by developers under the names “Kingmall2010?, “we20090202?, and  “Myournet” contain ... malware and have been pulled from the Android Market. ... The apps reportedly could compromise a user’s personal data. ... .
...
The malware attack shows that Android’s big advantage ... openness that gives it an edge over Apple ... is also Android’s biggest disadvantage. ... While Apple screens its apps, Google allows just about anybody to upload apps into the Android Market.

Someone just ripped off 21 popular free apps from the market, injected root exploits into them and republished. ... I just randomly stumbled into one of the apps, recognized it. ... The apps seem to be at least posting the IMEI and IMSI codes to [link redacted] which seems to be located in Fremont, CA. ... The apps are also installing another embedded app.
...
I just received a reply to an e-mail I sent out to one of the developers affected: ... "I have been trying for more than a week now to get Google to do something about it ... through every avenue I could think of, but haven't had a response yet."
...
Some sort of moderation, or at least quicker reaction to malware complaints would be nice.

It does indeed root the user’s device via rageagainstthecage or exploid. But ... it does more than just yank IMEI and IMSI ... it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But ... the true pièce de résistance is that it has the ability to download more code ... the possibilities are nearly endless.
...
They've been pulled ... as well as remotely removing them from user’s devices. Unfortunately, that doesn’t remove any code that’s already been backdoored in. ... This is the ultimate Android Trojan to date, and it’s already been downloaded over 50,000 times.
...
The [list of] offending apps: ...

If you’ve downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you can’t be sure that your device and user information is truly secure. Considering how much we do on our phones — shopping and mobile banking included — it’s better to take precautions..

This misadventure also highlights another reason why the Android Market isn’t raking in nearly as much cash as the iOS App Store – the ease of piracy. ... A lot of criticism is levelled at Apple for their App Store submission policies, but you certainly wouldn’t ever see this happening on their watch.
...
[This] has become such an issue on Android that Google announced not long ago it had an actual team of humans actively scouring the App Market. ... Why this specialist team didn’t identify these nefarious Apps ... remains a mystery.

The trick is to pay attention while the app is installing, since the malicious app will ask for excessive permissions. ... Hackers tweaking legitimate apps to carry Trojans is not a new idea and smartphones will continue to be targeted for mobile malware.

• Subscribe to the Computerworld Blogs newsletter
• Catch up with posts from the previous few days

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com.