02
Mar
android-virus-1

Update: After having a back and forth with Android Security, there's some disagreement as to just how malicious these apps we linked in this post are. We may have jumped the gun here, so hold tight, and we'll keep you informed.

First off, no, we're not trying to be sensationalist. And I'll admit up front that we're a bit light on details at the moment, but we've got a guy who is a professional, seasoned coder, and that's not the type of guy whose opinion you ignore. With that said: yes, we really think that we found something worse.

Among the flood of (mostly) related security/piracy tips we received in the wake of the DroidDream discovery was something that was worth a closer look: two more developers who were putting up more stolen apps. While that's unfortunately normal enough, what isn't is that their apps are highly obfuscated ("garbled") and encrypted - hiding something.

In other words, somebody has taken code that was more or less in English, translated it to Latin, and then scrambled it. Thoroughly. Justin's no novice; he's quite good at developing, and even better when it comes to security. And even he's having serious trouble getting in and seeing what's going on, at least without devoting a serious amount of time and energy to it (according to him, it would take a few days). What he does know is that it's started a timer, and it's counting down to something, though what that could be is anyone's guess. Justin is willing to bet that once the time is up, it will extract and execute the payload. Whatever it is though, it's almost certainly not a good thing.

So, once again, I'll say that we obviously don't have a ton of details. Now you know why,  though - an app that has been stolen, republished, encrypted, obfuscated, and starts a timer once installed. As the expression goes, if it walks like a duck, quacks like a duck, looks like a duck... well, it's probably a duck.

Before writing this, Justin once again pinged his guy at Google, Android Security, and contacted the security companies who had been in touch with us earlier (Symantec, Lookout, F-Secure, and Samsung).

Google and the security world were impressively fast to reply beforehand (and XDA wasn't far behind). Let's hope they're quick to the rescue once again.

[Market Links: 1, 2. Thanks to mes215 for the tip.]

Aaron Gingrich
Aaron is a geek who has always had a passion for technology. When not working or writing, he can be found spending time with his family, playing a game, or watching a movie.

  • acupunc

    It certainly seems that Google does need to do better filtering of apps. Even if the potential hole is patched vendors aren't updating quick enough. . . thus that leave Google at the app market gate to ensure that it's a trusted and safe environment to install from. Otherwise there will be more of this and we will see tons of negative publicity about Android.

  • Shmoopty

    It baffles me that Google chooses not to detect if an app submitted to their market is 95% similar to any other developer's submitted app.

    The cost of having someone review app submissions that are flagged as "very suspicious" would be far less than the cost of publicity like this.

    • http://www.AndroidPolice.com Artem Russakovskii

      It's just never really been that big of a problem before. I would imagine now that the shit hit the fan, things would be changing in the security department. The question is how and how soon.

  • http://www.toysdiva.com PixelSlave

    IMO, Google's security policy is a complete failure. It's not because they don't do enough -- it's because there's NO security policy at all. All it can do is pull an app from the market, and may be deleting it from an user's device. That's it.

    There's also one thing I want to the tell carriers -- the resistance that they have in pushing out updates will end up biting them. Why? Imagine ten of thousands of infected phones hitting their network all at the same time.

  • FtBastrd2

    What do you think is the solution to this sudden stream of malware? I have to admit that i feel a little better having people like you looking out for us normal people. but surely it shouldnt be down to you or anyone else outside of google.

    I agree about the publicity too. all the iDrones would love to get their hands on information like this!

  • http://www.androidpolice.com Jakub Glodek

    As Charlie Sheen would say it, "Someone is high on Charlie Sheen"...

  • Phil

    While this is not good I still don't think Google needs to do much in the way of checking out apps. Yes they should detect when someone has stolen 90% of your code but filtering apps not so much.

    People need to check out some of the things they are installing. Look for a website. A review from a reputable blog etc. I think some folk literally just refresh the market and install every single thing that pops up just to try it. With freedom comes responsibility.

    • http://www.toysdiva.com PixelSlave

      >> With freedom comes responsibility.

      Yes, but you know what, many people don't care. I once watched a TV show, and a character in the show asked, "Why do human needs red light? Shouldn't we stop our car when we see someone in front of us?"

      Yea, why? That's because many people are not responsible. If people can be so irresponsible when they could potentially kill someone, they probably won't care when installing a malware would only cause a phone to break down.

      • Someone

        LOL, that's a really dumb example.

        We need a red light because it makes things fast and efficient, instead of relying on drivers to communicate.

        It also makes it easier to see that a car is breaking far ahead of time, and makes it easy to see how many people are stopped in front of you (so you can find an alternate path)

  • jcase

    While the apps in yesterday's post were CERTAINLY malware, I may have jumped the gun on this post (I take full responsibility).
    The ones listed in this post MAY not be malware after all, however they are far less than legitimate applications.
    Google disagrees with my opinion (that they are malware), and they are likely right.
    Nothing can be done with these less than legit apps until the trademark holders send in DMCA takedown notices.
    I may have jumped the gun calling them malicious, I don't have time to re-investigate them.
    I apologize for my assumption, it has been a hectic morning for me, as many of you know.
    Either way, these are not legitimate in my opinion and should be avoided.

  • mes215

    Let's hope it isn't as serious as you guys think. I sent the link because I was trying to find out if Google had also removed Davinci Developers (the pirates of old) from the market. Since they had uploaded a pirated copy of Zuma's Revenge, I figured it would be easy to find them by searching for that game. However, instead of finding them, I found these two developers giving away the exact same game. I figured, given everything that's happened this past week, it was better to alert you to them.

    Looks like Google also removed Davinci Developers from the market, as I've been unable to find anything from them there. I'm not sure when this happened though.

  • Steve

    Well, if they're stolen apps, they ARE malicious in my opinion.

  • Geri O

    Ya know, I appreciate the writer's willingness to be forthright about the possibility of over-reacting to the situation.

    But DAMN, how bad does it have to be to warrant sounding the alarm? I'm glad someone is looking out for the situation.

    Long Live Android! Fix the security issues!

  • Steve

    BTW, Android Police has made the BBC News:-

    http://www.bbc.co.uk/news/technology-12633923

  • David

    Last night I went into my downloaded apps to see if there was any updates, and I updated three apps, Words with Friends, Angry Birds and McAfee WaveSecure. Right when all three apps finished installing, the phone rebooted and came back with the Nexus One bootscreen. Funny thing is, I have Cyanogen's RC1 7 for EVO, and they have their own customer bootscreen. I think something flashed my phone, so I yanked the battery immediately, booted into recovery and restored my last backup. Luckily it was only 2 days old and I didn't lose anything. But still people, if you are rooted, learn to make backups, watch your installs and if anything looks wonky, pull the battery and restore. Its your only safeguard at this point.

  • rareasasparagus

    >But still people, if you are rooted, learn to make backups, watch your installs and if anything looks wonky, pull the battery and restore. Its your only safeguard at this point.

    As an end user who bought a rooted phone on ebay because I wanted to try out android, you are basically saying, please now dedicate a week of your life to getting your phone safe and restorable. And then don't install anything on it without an hour of research per app. This open market is a stunning study in the inefficiencies inherent in the invisible hand. Socialize the losses, to the max.

    Or to paraphrase an old, old *nix t-shirt: Caveat Emptor, in your face.

    • David

      I think you are misunderstanding a lot about rooted devices. It takes less than 10 minutes to do a backup for most phones, and that includes the reboot into recovery and reboot back out. If you think it will take you a week, then maybe you should go back to xda and read the forum a little better. Its true in any open source market place, you have to watch your own back because no one else will. No one is saying the Android market in and of itself is inherently evil or good, just know what you are downloading, and if there is a problem, remember that only you can take care of it yourself.

      • rareasasparagus

        So far I've been at it 3 hours. If the phone has malware on it, what's safe to save? Any apps?

        In general, I find it extremely difficult to find newbie help for this phone, even at the user level. 2/3 of the time I come up blank, and now I set a time limit of 45 minutes to hack at any one problem. The google pulls up 100 links containing non-relevant results because of version differences, or questions about development, not user level. You can chase down a wrong path for a long time before deciding it is a bad path.

        For example, I want to look at the logs. That seemed really simple. Login to the terminal, su root. But where are they?

        Everyone says to install adb. Do I bother with the SDK just to look at the logs? Do the logs contain anything useful? Should I sink a few hours into that? (So far I've maxed on my initial time, but I'm surprised that no one will just say where the logs are. If they are compressed and that's why you need a tool, can someone just say that?)

        Help for Android is the single most cryptic thing I've ever dealt with. XDA, eh? Okay, I'll go google that.

        • http://bobkerns.typepad.com Bob Kerns

          Um, "log into the terminal, su to root'. Well, I suppose you could do it that way.

          Or you could use a log viewer app. For example, this one:

          https://market.android.com/details?id=org.jtb.alogcat

          It seems you're a bit confused about whether you're looking for user-level or developer-level information. And you don't appear to fit either category...

          Even looking at the logs at all would mostly be considered a developer-level thing. Logging into the terminal, and doing 'su'? Very definitely. Even installing a terminal app is a developer, not user-level action.

          It might be that you really should install the SDK, and get adb and quite a few other things that might be of interest to you -- none of them really user-level.

  • http://pof.eslack.org pof

    I've been analyzing a couple of the fox901 and blue_spirit market apps, and they look completely like the original game (obfuscated with proguard), and with added "admob.android.ads" class to incorporate ads to the original game (which didn't have ads initially).
    So basically, they are earning money through ads using an "stolen" app, but no indices of malware or something that will harm your phone, steal your personal data or cost you money at all.

  • Jrdemaskus

    XDA-DEVELOPERS.COM is the absolute place for you to learn about any device and more! Go there,find your device.Join in,Have fun. Peace

    • rareasasparagus

      Yup, I did go over there. During my 8 hours of forced learning about everything it took to wipe the phone and get it in some semblance of working order I read a bit of XDA, but really it's just a pile of stuff. Most of it too old to be applicable. It's interesting for a while (tips and tricks, yay), but not really useful for a particular problem, except maybe (if you're lucky) to illuminate some tiny fraction of your issue like a Sherlock Holmes murder mystery.

      The trouble is, this random mod of android on a random extinct phone that I bought off ebay is just one possible combination out of a gazzillion that I can search for advice on. There is no documentation that is authoritative. One is reduced to a very old fashioned, pre technological situation of trying to find an expert human to help. Which is pretty ironic.

      Just because I can find my way around *nix doesn't mean I want to actually learn jack about android. I just wanted a phone. (I know, a total shock, but there you have it.)

  • WhoZWhatZit

    Then why would you buy a rooted phone? That's like "just wanting a computer" - then running your computer on Linux.

  • EDJU

    i THINK IT IS SOMEONE FROM APLLE DOING THIS, TO SLOW DOWMN THE COMPETION