Hackers may have stolen details of up to 120,000 mobile phone users by infecting applications (apps) sold to users of Google’s Android operating system, security researchers have said.
The researchers claim that hackers used malware, which is maliciously coded software, to infect more than 30 apps that users may have downloaded.
“This weekend, multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data,” Tim Wyatt of Lookout mobile security said in a blog.
“At this point we believe between 30,000 and 120,000 users have been affected,” Wyatt said.
“Google has removed all of the apps known to be infected from the Android Market while they investigate,” Wyatt said.
Phone users do not have to access the apps on their phones to trigger the hack, Wyatt said.
The phone’s identity number, the number the phone sends when it connects to the user’s network, details of what handset model the device is and information about what other software is on the phone is all sent to the hackers when the infected apps are installed, Wyatt said.
“It appears that the [malicious software] is also capable of downloading and prompting installation of new packages, though unlike its predecessors it is not capable of doing so without user intervention,” Wyatt said.
“The malicious developer has inserted code that triggers when the phone receives a text message,” Mikko Hypponen, Chief Research Officer with security researchers F-Secure, said in a blog.
“The added code will connect to a server and send details about the infected handset to the malware authors,” Hypponen said.
Researcher Tim Wyatt said he became aware of the issue when a developer said that his application, and that of another developer, had been altered and then made available for download to users of the Android app market.
Lookout identified similar malicious coding within the manipulated apps as was present in other infected apps during a hack reported in March, Wyatt said.
“Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed … samples,” Wyatt said in the blog.
Wyatt said Android phone users should only download apps from trusted sources, assess the name of the developer and the apps’ reviews, and check that the app does not ask for permission it is not likely to need to operate in order to establish if it is safe to download.
Phone users should download a mobile security app and be alert to unusual behaviour on their devices, Wyatt said.
“This behaviour could be a sign that your phone is infected. These behaviours may include unusual [text messages] or network activity,” Wyatt said.
Google did not respond when asked for a comment.
Last month the internet giant had to fix a problem that researchers discovered existed in almost all Android-supported devices. Hackers could gain access to phone users’ log-in details, to Google Calendar, Google Contacts and possibly other services by intercepting a phone’s attempts to connect to Wi-Fi networks, the researchers claimed.
This piece of malware is the second iteration of a previous threat, known as “DroidDream”, which hit the platform last March, that had the ability to download malicious packages onto the device.
This new malware, known as “DroidDreamLight” is essentially similar to the previous version: it uses fake Android Apps on the Android Market in order to spread and, just like the original “DroidDream”, it’s able to download malicious packages onto the infected device. However, unlike its predecessor, it can’t download those in the background, meaning that the risk of infection is much lower, although it can still harm unsuspecting users. “DroidDreamLight” can also contact remote servers even when the infected app isn’t running, making the threat more dangerous. Once an infected App is downloaded, the malware will immediately send out information about the device’s specifications to a remote server:
Malicious components of DroidDream Light are invoked on receipt of a android.intent.action.PHONE_STATE intent (e.g. an incoming voice call). DroidDream Light is not, therefore, dependent on manual launch of the installed application to trigger its behavior. The broadcast receiver immediately launches the <package>.lightdd.CoreService which contacts remote servers and supplies the IMEI, IMSI, Model, SDK Version and information about installed packages.
The malware’s authors have modified reputable Apps commonly available from the Android Market and repackaged them with the infected code. The fake Apps were then submitted back to Google’s own Android Market using 5 different developer accounts. Please stay alert if you’ve downloaded any of the following Apps recently:
Magic Photo Studio
- Sexy Girls: Hot Japanese
- Sexy Legs
- HOT Girls 4
- Beauty Breasts
- Sex Sound
- Sex Sound: Japanese
- HOT Girls 1
- HOT Girls 2
- HOT Girls 3
- Floating Image Free
- System Monitor
- Super StopWatch and Timer
- System Info Manager
- Call End Vibrate
- Quick Photo Grid
- Delete Contacts
- Quick Uninstaller
- Contact Master
- Brightness Settings
- Volume Manager
- Super Photo Enhance
- Super Color Flashlight
- Paint Master
- Quick Cleaner
- Super App Manager
- Quick SMS Backup
Infected applications have already been removed from Android’s marketplace, but be on the lookout, since there’s the possibility that this threat might arise once again.
How to protect yourself: Download an anti-malware program for Android, such as Lookout, AVG for Android and SmartGuard Mobile Security and keep it updated. We’re going to start taking the security of our smartphones as seriously as the security of our PCs.
An open platform such as Android has sure brought many benefits, but just as many shortfalls as well. The fact that there’s no approval process for Android Apps makes the platform incredibly vulnerable, especially due to its rising popularity. Please download an anti-malware application to ensure your device’s safety.
- Malware from Google Market menaces Android users (go.theregister.com)
- Possibly 120K Android Users Infected With New Variant Of Malware (liquidmatrix.org)
- Lookout Teams Pegs 25 Android Market Apps Infected With DroidDreamLight Malware (androidpolice.com)
- New DroidDream malware infects 24 Android apps (msnbc.msn.com)
- New DroidDream malware infects 24 Android apps (msnbc.msn.com)
- Twenty-Five More Malware Apps Turn Up In Google’s Android Market (blogs.forbes.com)
- Android ‘fee’ malware hidden in legitimate apps (electronista.com)
- DroidDreamLight malware hits dozens of Android apps (venturebeat.com)
- Update: Android Malware DroidDream: How it Works (mylookout.com)
- Malicious apps removed from Android Market (news.cnet.com)