It seems evil-doers' depravity knows no bounds: we've just heard word from Symantec that an infected version of Google's Android Market Security Tool March 2011 is floating around the "black markets" - meaning it's not in the Android Market, but it is floating around the 'net in APK form. Luckily, it's not nearly as bad as DroidDream (the malware it was designed to remove), but it's malware nonetheless.

Specifically, Justin says it's closely related to (or possibly the same as) "Fake 10086" malware. Asian users seem to be getting the brunt of it, and it collects information such as IMEI, phone number, and other minor tidbits, which it then uploads to this site. On the download side of the equation, it tries to grab data from a site that seems to be currently unresponsive. For Asian users (the malware seems to be specifically geared towards Chinese carriers), it attempts to interact with the two sites to send and receive SMS messages to paid services.

For users outside Asia, the only real concern is privacy - and it seems no serious data is being transmitted. Affected users (those who have downloaded the Security Tool from a third party) can simply uninstall the app to remove the malware; from what we've gathered, it doesn't pull in new code.

A few points I want to emphasize:

  • This is not available in the Market, so you only need to worry if you downloaded the Security Tool from another source. Only Google's official tool is found in the Market. Just to be safe, if you are going to download it from the Market, make sure Google Inc. is the publisher. (To be really safe, just download from the link above.)
  • Users infected with DroidDream do not need to manually install the update - Google is remotely installing, activating, and uninstalling it from infected users. There's no need to do it manually at all, but if you feel compelled, only install the one from the Market. Do not install it from a third-party source.

A huge thanks to Symantec for tracking this down and notifying us of it, as well as providing the code for Justin to crack open. They're currently the only company with protection from this malware.

So, in a nutshell: Nothing too serious, and only infecting users who are downloading the APK from a third-party source and sideloading it.

[Thanks to Symantec for the tip!]