Google apparently has used a kill switch to remove 21 malware-infected apps from both its Android Market and from people’s Android devices.
Calling the Trojan the “mother of all Android malware,” enthusiast site Android Police said yesterday the infected apps were discovered by a Reddit user. That Reddit user found that pirated versions of legitimate apps were infected by a Trojan called DroidDream, which uses a root exploit dubbed “rageagainstthecage” to compromise a device.
This piece of malware is especially virulent because it apparently cannot only capture user and product information from a device but also has the ability to download more code capable of further damage. The 21 apps in question, all now taken down but still listed by Android Police, came from a publisher named Myournet. However, mobile security vendor Lookout and other sources said yesterday that DroidDream has so far shown up in more than 50 Android apps, including ones from other publishers.
Conversation threads on Reddit suggest that Google was slow to respond to the malware discovery after the company was first alerted via official channels. But after contacting someone at Google directly, Android Police said the company responded quickly to remove the infected apps.
Like Apple, Google has a kill switch that gives it the ability to remotely remove apps from users’ phones and tablets that it deems are in violation of its developer agreements. As in this case, such a feature can be used to wipe out apps infected by malware.
At least 50,000 people had downloaded the apps in question, according to enthusiast site AndroidCentral. However, many of those potentially infected may have been protected by staying current with the latest Android updates. AndroidCentral notes that Google actually patched its source code to prevent this type of exploit for users running Android 2.2.2 or higher and that the vulnerability doesn’t exist at all in Gingerbread, aka Android 2.3.
CNET has contacted Google for further information and will update the story if and when more details are released.
This new exploit follows a report of a bot called Android.Pjapps that also has turned up in phony versions of legitimate Android apps. The difference is that the bot infected only apps in unregulated Android app stores, whereas DroidDream found its way into Google’s “regulated” Android Market.