Security Experts:

Google Responds with 'Remote Kill' to Remove Recent Swarm of Malicious Android Apps

Following the recent malware infection of over 50 apps from the Official Android Market last Tuesday, Google, after initially removing the apps in question rather quickly, had remained relatively quiet on the issue. Google has now followed-up with additional procedures, including making use of the “remote kill” functionality to remove the malware from infected devices. The remote application removal feature, in cases such as this, allows Google to remove infected applications from active circulation in a rapid and scalable manner.

In a blog post on Saturday, Google said it has suspended the associated developer accounts as well as contacted law enforcement. Mobile security firm Lookout, Inc., reported that the accounts suspended were under the developer names “Kingmall2010″, “we20090202″, and “Myournet”.

The recent “Droid Dream” mobile malware takes advantage of known vulnerabilities in the Android Operating System, but doesn’t affect Versions 2.2.2 or higher. Google says that is has reason to believe that the only information the attackers were able to capture from affected devices the IMEI/IMSI codes used to identify mobile devices, along with the version of Android the device was running. But given the nature of the exploits, the attacker(s) could access other data, which is why we’ve taken a number of steps to protect those who downloaded a malicious application:

Google stated in a blog post that it has taken the following steps since the discovery of the Droid Dream malware:

1. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.

2. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.

3. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

For more details, please visit the Android Market Help Center. We always encourage you to check the list of permissions when installing an application from Android Market. Security is a priority for the Android team, and we’re committed to building new safeguards to help prevent these kinds of attacks from happening in the future.

In addition, Google sent the following note to users there were potentially affected.

Hello,

We recently discovered applications on Android Market that were designed to harm devices. These malicious applications (“malware”) have been removed from Android Market, and the corresponding developer accounts have been closed.

According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).

However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says “Android Market Security Tool March 2011” has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.

To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection. For more details, please visit the Android Market Help Center.

Regards,

The Android Market Team