It seems evil-doers' depravity knows no bounds: we've just heard word from Symantec that an infected version of Google's Android Market Security Tool March 2011 is floating around the "black markets" - meaning it's not in the Android Market, but it is floating around the 'net in APK form. Luckily, it's not nearly as bad as DroidDream (the malware it was designed to remove), but it's malware nonetheless.

Specifically, Justin says it's closely related to (or possibly the same as) "Fake 10086" malware. Asian users seem to be getting the brunt of it, and it collects information such as IMEI, phone number, and other minor tidbits, which it then uploads to this site. On the download side of the equation, it tries to grab data from a site that seems to be currently unresponsive. For Asian users (the malware seems to be specifically geared towards Chinese carriers), it attempts to interact with the two sites to send and receive SMS messages to paid services.

For users outside Asia, the only real concern is privacy - and it seems no serious data is being transmitted. Affected users (those who have downloaded the Security Tool from a third party) can simply uninstall the app to remove the malware; from what we've gathered, it doesn't pull in new code.

A few points I want to emphasize:

  • This is not available in the Market, so you only need to worry if you downloaded the Security Tool from another source. Only Google's official tool is found in the Market. Just to be safe, if you are going to download it from the Market, make sure Google Inc. is the publisher. (To be really safe, just download from the link above.)
  • Users infected with DroidDream do not need to manually install the update - Google is remotely installing, activating, and uninstalling it from infected users. There's no need to do it manually at all, but if you feel compelled, only install the one from the Market. Do not install it from a third-party source.

A huge thanks to Symantec for tracking this down and notifying us of it, as well as providing the code for Justin to crack open. They're currently the only company with protection from this malware.

So, in a nutshell: Nothing too serious, and only infecting users who are downloading the APK from a third-party source and sideloading it.

[Thanks to Symantec for the tip!]

Aaron Gingrich
Aaron is a geek who has always had a passion for technology. When not working or writing, he can be found spending time with his family, playing a game, or watching a movie.

  • acupunc

    As always, thanks for the heads up!

    Just another reason to stick to quality app markets!

    • Aaron Gingrich


  • Justa Notherguy

    So, did you really plan to provide us with handy QR codes for those malware sites or is that simply an unanticipated feature of your CMS setup?

    • Aaron Gingrich

      Clicking the links won't harm or infect you... but yes, it's part of the CMS :)

  • Simon Belmont

    Heh. I knew the security tool was being pushed to infected handsets.

    I did not know it was downloadable on the Android Market. Thanks for the heads up, though I don't think I need the tool, it's nice to be informed.

  • iDroid

    I thought the whole joy of owning an Android device was "freedom," "open-source," "being able to download and customize as you wanted." Getting apps from only the Android Market is blasphemy against Droid-ism!!

    Hmmm, maybe that "walled-garden" isn't so bad after all.

  • Oma

    Is there an App for this- Android Police-

  • Icaro Kalleu

    I want to know a thing, I'm from Brazil, if I've downloaded one of this apps made by myournet or that other ones, from the internet "PC" as .apk I'll receive this e-mail with this update "android market security tool march 2011"???? I think i've downloaded the app "spider-man" by myournet!!! but I think I downloaded that by internet in my PC!!!