Toxic Plankton feeds on Android Market for two months

Google never said it wouldn't

Protecting against web application threats using SSL

The security of Google Android has once again been called into question after an academic researcher discovered 12 malicious apps hosted in the operating system's official applications market, some that had been hosted there for months and racked up hundreds of thousands of downloads.

Ten of the apps reported last week by North Carolina State University professor Xuxian Jiang contained highly stealthy code that collected users' browsing history, bookmarks, and device information and sent them to servers under the control of the attackers. The professor said they also contained a backdoor largely made possible by a weakness documented at a security conference 12 months ago that allows Android apps to be surreptitiously updated.

The malicious titles also contained functions that allowed the developers to collect login credentials for Facebook, Gmail, and other accounts, although Jiang didn't find any evidence they were actively used. Carrying titles such as "Angry Birds Rio Unlock," the apps posed as legitimate programs. At least one of them was hosted in the Google-sponsored bazaar for more than two months and was downloaded more than 200,000 times, said Jiang, who added that they were yanked within hours of him alerting the company's security team.

Screenshot of one the the malicious Android apps discovered by Jiang

One of the malicious apps Jiang found

Two additional apps contained code that racked up expensive phone bills by sending text messages to premium services.

A Google spokesman said there was no evidence the apps had been used to compromise any Google user accounts, but otherwise declined to discuss Jiang's findings. Instead, he offered what's becoming a standard response when malware is discovered in its software forum:

“We're aware of and have suspended a number of suspicious applications from Android Market,” he wrote in an email. “We remove apps and developer accounts that violate our policies.”

Jiang's discovery follows a separate rash of malicious apps, dubbed “DroidDream” that hit the Android Market two weeks ago. More than two dozen titles had to be pulled after third-party researchers reported them to Google. The trojans had been downloaded as many as 120,000 times.

Is there a policeman in the Market?

In most respects, Google leads the pack when it comes to policing the security of its users. Unlike Microsoft, which has admitted to attacks on Hotmail users only after they were disclosed by third parties, Google has proactively warned of attacks affecting users on multiple occasions.

It has also assembled a brain trust of some of the most respected security researchers in the world. Their work has gone a long way to developing a web browser, a stable of web-based applications, and other services whose security is second to none. Google has also shown leadership by being among the first to fortify its services with other useful security features, including a two-step verification process and automatic warnings of suspicious logins to a user's account.

Android is clearly an exception. The backdoor contained in the rogue applications discovered by Jiang adopted a technique that closely mimics the ”rootstrap” proof-of-concept exploit released in June 2010 by researcher Jon Oberheide. The apps actively exploited a significant omission in the Android security model that Google has shown no signs of fixing.

“This is something that's unique to Android because it doesn't have any sort of code-signing guarantees like the iPhone has,” Oberheide told The Register on Friday. “On iPhones, when you publish an app to the app market, Apple signs whatever code is distributed with the application that says you can only execute this code. You can't easily pull down new code over the internet and execute it.”

The apps discovered by Jiang were under no such restrictions, making it easy for them to pull down new code at any time that greatly expanded their capabilities as long as they operated within the same permissions the user gave when they were first installed. As a result, apps that look safe at time of download can lurk on a phone for months or years and only later pull down new code that vastly changes their behavior.

“I tried to put pressure on Google a year ago by publishing this rootstrapping stuff, saying you need to be doing similar code signing as Apple," Oberheide continued. "This would at least provide some guarantee about the code the application is going to execute."

To be sure, code signing isn't a silver bullet that completely deters apps from downloading new code and executing it at run time. Apps running on Apple's iOS theoretically could do the same thing by sneaking what's known as an interpreter into a rogue app, or by adopting a tedious developer process known as ROP, or return oriented programming. Almost no security researcher would disagree, however, that code signing significantly raises the bar to such attacks.

Code signing also helps prevent or lessen the effects of entire classes of exploits, such as those that corrupt memory.

In an email, the Google spokesman responded: "Code signing, as discussed in various public forums, does not guarantee that a malicious application cannot run untrusted code. Regardless of the platform, it doesn't prevent an application from executing code from the Internet."

The adoption of Oberheide's rootstrapping technique is a sign that real-world criminals have taken notice of Android's lack of code signing and are beginning to exploit it. By combining it with Google's failure to vet the security of apps hosted in the Android Market, the company's mobile OS is perhaps the weakest link in a security chain that otherwise is among the strongest in the industry.

The rogue apps' backdoor worked by periodically querying a server for executable files that run under Android's Dalvik virtual machine. With no code signing in Android, the files could bypass standard techniques used to detect malicious code, giving the attackers an easy way to push new payloads to compromised handsets. This capability could prove especially useful in exploiting vulnerabilities that are discovered months or years after the rogue application was installed.

Jiang has more details here about the malware, which is dubbed Plankton.

But wait, there's more

Add to all of this Google's own admission that more than 90 percent of Android users are running older versions of the mobile operating system that contain serious kernel vulnerabilities. That gives attackers an easy way to bypass Android's security sandbox that's supposed to limit the data and resources each app is allowed to access.

Then remember that Google makes no promises to vet the security of apps hosted in its own store, and it's easy to see why users have good reason to be wary of the platform.

“The ball is in Google's court here,” Oberheide said. “They need to harden the platform a bunch. They have their hands full now.” ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.