Toxic Plankton feeds on Android Market for two months

Google never said it wouldn't

SANS - Survey on application security programs

The security of Google Android has once again been called into question after an academic researcher discovered 12 malicious apps hosted in the operating system's official applications market, some that had been hosted there for months and racked up hundreds of thousands of downloads.

Ten of the apps reported last week by North Carolina State University professor Xuxian Jiang contained highly stealthy code that collected users' browsing history, bookmarks, and device information and sent them to servers under the control of the attackers. The professor said they also contained a backdoor largely made possible by a weakness documented at a security conference 12 months ago that allows Android apps to be surreptitiously updated.

The malicious titles also contained functions that allowed the developers to collect login credentials for Facebook, Gmail, and other accounts, although Jiang didn't find any evidence they were actively used. Carrying titles such as "Angry Birds Rio Unlock," the apps posed as legitimate programs. At least one of them was hosted in the Google-sponsored bazaar for more than two months and was downloaded more than 200,000 times, said Jiang, who added that they were yanked within hours of him alerting the company's security team.

Screenshot of one the the malicious Android apps discovered by Jiang

One of the malicious apps Jiang found

Two additional apps contained code that racked up expensive phone bills by sending text messages to premium services.

A Google spokesman said there was no evidence the apps had been used to compromise any Google user accounts, but otherwise declined to discuss Jiang's findings. Instead, he offered what's becoming a standard response when malware is discovered in its software forum:

“We're aware of and have suspended a number of suspicious applications from Android Market,” he wrote in an email. “We remove apps and developer accounts that violate our policies.”

Jiang's discovery follows a separate rash of malicious apps, dubbed “DroidDream” that hit the Android Market two weeks ago. More than two dozen titles had to be pulled after third-party researchers reported them to Google. The trojans had been downloaded as many as 120,000 times.

Is there a policeman in the Market?

In most respects, Google leads the pack when it comes to policing the security of its users. Unlike Microsoft, which has admitted to attacks on Hotmail users only after they were disclosed by third parties, Google has proactively warned of attacks affecting users on multiple occasions.

It has also assembled a brain trust of some of the most respected security researchers in the world. Their work has gone a long way to developing a web browser, a stable of web-based applications, and other services whose security is second to none. Google has also shown leadership by being among the first to fortify its services with other useful security features, including a two-step verification process and automatic warnings of suspicious logins to a user's account.

Android is clearly an exception. The backdoor contained in the rogue applications discovered by Jiang adopted a technique that closely mimics the ”rootstrap” proof-of-concept exploit released in June 2010 by researcher Jon Oberheide. The apps actively exploited a significant omission in the Android security model that Google has shown no signs of fixing.

“This is something that's unique to Android because it doesn't have any sort of code-signing guarantees like the iPhone has,” Oberheide told The Register on Friday. “On iPhones, when you publish an app to the app market, Apple signs whatever code is distributed with the application that says you can only execute this code. You can't easily pull down new code over the internet and execute it.”

The apps discovered by Jiang were under no such restrictions, making it easy for them to pull down new code at any time that greatly expanded their capabilities as long as they operated within the same permissions the user gave when they were first installed. As a result, apps that look safe at time of download can lurk on a phone for months or years and only later pull down new code that vastly changes their behavior.

“I tried to put pressure on Google a year ago by publishing this rootstrapping stuff, saying you need to be doing similar code signing as Apple," Oberheide continued. "This would at least provide some guarantee about the code the application is going to execute."

To be sure, code signing isn't a silver bullet that completely deters apps from downloading new code and executing it at run time. Apps running on Apple's iOS theoretically could do the same thing by sneaking what's known as an interpreter into a rogue app, or by adopting a tedious developer process known as ROP, or return oriented programming. Almost no security researcher would disagree, however, that code signing significantly raises the bar to such attacks.

Code signing also helps prevent or lessen the effects of entire classes of exploits, such as those that corrupt memory.

In an email, the Google spokesman responded: "Code signing, as discussed in various public forums, does not guarantee that a malicious application cannot run untrusted code. Regardless of the platform, it doesn't prevent an application from executing code from the Internet."

The adoption of Oberheide's rootstrapping technique is a sign that real-world criminals have taken notice of Android's lack of code signing and are beginning to exploit it. By combining it with Google's failure to vet the security of apps hosted in the Android Market, the company's mobile OS is perhaps the weakest link in a security chain that otherwise is among the strongest in the industry.

The rogue apps' backdoor worked by periodically querying a server for executable files that run under Android's Dalvik virtual machine. With no code signing in Android, the files could bypass standard techniques used to detect malicious code, giving the attackers an easy way to push new payloads to compromised handsets. This capability could prove especially useful in exploiting vulnerabilities that are discovered months or years after the rogue application was installed.

Jiang has more details here about the malware, which is dubbed Plankton.

But wait, there's more

Add to all of this Google's own admission that more than 90 percent of Android users are running older versions of the mobile operating system that contain serious kernel vulnerabilities. That gives attackers an easy way to bypass Android's security sandbox that's supposed to limit the data and resources each app is allowed to access.

Then remember that Google makes no promises to vet the security of apps hosted in its own store, and it's easy to see why users have good reason to be wary of the platform.

“The ball is in Google's court here,” Oberheide said. “They need to harden the platform a bunch. They have their hands full now.” ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.