Richi Jennings

Google Android Market kills Droid Dream malware in Trojans

March 07, 2011 5:52 AM EST

Here comes Google with its remote kill switch. The company's using its great power to remove Trojans from users' Android devices. If you downloaded a rogue Trojan from the Android Market last week, expect email from la GOOG explaining how it's murdered your malware. Also, the vulnerability that the Droid Dream rootkit exploits is patched.

Android (Google) By Richi Jennings. March 7, 2011.

Google has flipped the remote kill switch for the 60-odd Trojans that contained the Droid Dream malware rootkit. Its also closing the vulnerability that the rootkit exploited. In IT Blogwatch, bloggers ponder the perils of the kill switch.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention The Ten Most Sinister Cereal Box Mascots… EVER!..
(GOOG)


Dean Takahashi details Google's response to the incident:
The company says the malicious apps were downloaded to 260,000 devices before Google removed them. ... The phone’s IMEI number (which identifies a device) was leaked, but no other personal data or account information was transferred. ... The whole incident has created a big scare about mobile security.
...
The user doesn’t have to do anything. Google will automatically send a security update ... that should remove the malware, known as a root kit. Users will receive an email notification about it. ... Google said it is taking steps to stop this from happening again. But it’s not saying what it is doing. ... Google doesn’t screen apps. Rather, it institutes some security for users by requiring apps to notify users ... whenever they intend to access sensitive information.M0RE
 
Ryan Paul adds:
The programs exploited a vulnerability in the platform that allows attackers to gain root access and ... deploy further malware. ... The company is also pushing out an update to the Android Market that can reverse the exploit.
...
The bug is fixed in Android 2.2.2. ... Google is [also] making a patch available, but it's going to be up to the carriers and handset makers to make sure that the patch gets deployed. In light of the mobile industry's poor track record ... it's possible that this flaw will continue to be exploitable on a considerable number of handsets. ... It's troubling that many users will have to rely on the mobile carriers in order to get critical security updates.M0RE

Google's Rich Cannings blogs thuswise:
Within minutes of becoming aware, we identified and removed the malicious applications. The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher. ... [The] remote application removal feature is one of many security controls the Android team
...
If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. ... You are not required to take any action ... the update will automatically undo the exploit.M0RE

Seth Weintraub notes that the situation's worse than we thought last week:
Since Droid Police initially found the 21 apps, a security firm has found 30 more apps by a few more developers. ... It is baffling to me that ... apps like these were able to make it to the market in the first place and hopefully measures are put in place so that ... [this] can't repeat in the future.
...
Google has contacted law enforcement. As far as I know, this is the first time. ... The kill switch process in itself is controversial because it can't be stopped by the user. ... I don't see users becoming upset over this issue, however.M0RE

Meanwhile, Charlie White has kill-switch background:
Google’s had this kill switch in place since 2008, and it used the remote application removal capability for the first time in June, 2010. ... The kill switch is not going to completely fix this problem ... [unless] an Android phone is running the latest software.M0RE

Dude, Joe Wilcox is all, totally, like, "whoa" and stuff:
Whoa. That's scary reassuring: Knowing Google can reach down to Android handsets to swat malicious code ... and simply that Google can reach down into devices at all. I mean whoa.
...
I've got mixed feelings about the remote removal capabilities, which gives me mixed feelings of security and sense of Big Brother watching.M0RE
 
But Cade Metz reminds us that it's not just Android:
Apple maintains its own "kill switch" for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone. ... "Hopefully, we never have to pull that lever," Jobs said, "but we would be irresponsible not to have a lever like that to pull."M0RE

And Finally...
The Ten Most Sinister Cereal Box Mascots… EVER!
[Warning: a few swears and other unsavory content]
 
 
Don't miss out on IT Blogwatch:


Richi Jennings, your humble blogwatcher   Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com.
You can also read Richi's full profile and disclosure of his industry affiliations.