The malware-based apps, dubbed DroidDream, have been removed by Google, which says it's "adding a number of measures to help prevent malicious applications using similar exploits from being distributed through Android Market," though declining to detail yet what those may be.
But the biggest quandary from the DroidDream episode may be why any Android devices (Google says Android 2.2.2 and later versions would not be affected because the hole was closed) were vulnerable to the DroidDream attack in the first place since Google had issued patches for those exploits by last November.
One underlying problem is that the Android-device manufacturers and carriers that work in tandem to distribute Android-based updates had not uniformly issued patches to their customers for the DroidDream exploit.
While declining to name specific Android device manufacturers and carriers, Google speaking on background, acknowledges not all Android devices have been patched. While Google usually takes a hands-off approach after issuing open-source code changes to the Android code base, expecting the manufacturers to integrate them into their own customized Android builds, Google leapt into action following the DroidDream revelations, working directly with manufacturers and carriers to blast out over-the-air updates. The goal is to make sure the underlying security flaws exploited by DroidDream that may still be present in Android devices are addressed.
Google has also directly sent out an auto-uninstall tool it calls "Android Market Security Tool March 2011" to infected Android devices to uninstall the malicious Android apps that were downloaded from Google Market.
Security vendors this week are closely watching this DroidDream episode play out.
"The exploits for this malware have been fixed for months," says Kevin Mahaffey, CTO at Lookout Mobile Security, talking about what's known as "Exploit" and "rageagainstthecage" used in the DroidDream malware-laden apps that made it into the Google Market. But that doesn't mean that Google's fixes from months ago made it out to the consumer. What the industry is learning, Mahaffey says, is "it's a lot more complicated to patch a phone than a PC."
Anti-malware firm Kaspersky Lab today called Google's handling of the Android malware "debatable." The security vendor says its examination of the so-called "Android Market Security Tool March 2011" that Google has pushed out to Android devices infected with DroidDream is a "questionable approach."
The Google app uninstaller remotely installs on the affected device, and then "launches itself, obtains root privileges, uninstalls the malicious apps and then deletes itself — without ever asking any user authorization," Kaspersky says in its analysis. "This approach has a number of similarities to the practices employed by malware authors." In addition, Kaspersky criticized Google "for dealing with symptoms while leaving the cause untreated." According to Kaspersky's analysis, "the update doesn't actually close the exploited hole in the Android debugging bridge."
Kaspersky continues to say "Apparently installing patches is generally almost impossible," citing a Kaspersky researcher who believes "this is due to Android's inability to install granular patches; furthermore, regular larger patch updates are reportedly difficult because of Android's use of the 3G data connection for syncing and updating with over the air updates."
Dozens of manufacturers take Google's updates and "bundle it into their build," which vary, and eventually the user should get the update over the air, says Nicholas Percoco, senior vice president and head of Trustwave's SpiderLabs. This issue may become a factor in how corporate users bring Android devices into official use in a corporate setting. Manufacturers and carriers that can prove they are fast and diligent about updating code could end up winning more corporate customers. That might make enterprise IT managers inclined to want to push for a sort of corporate standard for an Android as the patch and security issues are closely examined.
The DroidDream nightmare for Android could be seen as an opportunity for security vendors with specialized expertise.
"My initial reaction to this attack is 'I'm not surprised,'" says Neil Book, vice president of Juniper's mobile division which markets the Junos Pulse mobile-management and security software for Android. Book says Juniper's Pulse for Android would have kept the Android anti-malware from running. "We recognize it because of the heuristic engine," he says.
Book says he thinks that probably less than 5% of the world's smartphones have any type of anti-malware client on them. He expects to see smartphone-oriented anti-malware start to be offered eventually on an OEM basis with the service providers installing it "for free" on devices as part of their service. Book says Juniper has had this type of arrangement with British Telecom (BT) for two years, and expects to see the U.S. market take this approach.
Trusteer, which has specialized in anti-malware software to fight banking trojans that try to launch through compromised bank customer's computers but can be detected and eradicated, has announced a partnership with WorkLight to create "secure mobile browser apps" for both iPhone and Android.
It will be rolled out in a few months, says Yaron Dycian, vice president of products at Trusteer. It won't be called Rapport, like Trusteer's current PC-based browser software and service for the banking industry, but will be sold under WorkLight's brand and will be for general enterprise use.
If a device is infected, the app simply wouldn't run, explains Ron Perry, CTO for WorkLight about one approach taken with Trusteer.
Like other security vendors, Trusteer views DroidDream as a turning point in mobile malware. "It'll only escalate from here, no doubt," Dycian said.
Read more about wide area network in Network World's Wide Area Network section.