Android malware clean-up exposes reliance on mobile carriers to push out updates

Filed Under: Android, Google, Malware, Mobile, Vulnerability

Android versions: Eclair, Froyo, GingerbreadLast week there were many headlines in the security press after it was discovered that malicious apps had been found on the official Android Market.

The good news is that Google used has removed the offending apps which formed the so-called "Droid Dream" attack from the Android Market, so no-one else can be tricked into downloading them from an official source at least.

In addition, Google has revoked permissions from the developer accounts which published the malware, and claims to have contacted law enforcement agencies about the malicious activity.

This weekend, Google announced that it was pushing a clean-up tool to all of the Android smartphones it believed had been affected by the attack.

This is, in effect, Google's "remote kill switch" - capable of forcibly removing offending apps from users' phones.

Affected users will see a notification on their smartphone that a tool called "Android Market Security Tool March 2011" has been installed.

Android Market Security Tool

If, for any reason, you want to determine for yourself if your own Android smartphone was affected by the "Droid Dream attack" you should visit Settings / Applications / Running services and look for "DownloadManageService" in the list of running services.

But is that the end of the story?

Not quite. You see, Google's tool undoes the damage caused by the malware - but it doesn't fix the underlying vulnerabilities that allowed the malware to cause a nuisance in the first place.

The malware attack took advantage of known vulnerabilities which only affect versions of the Android operating system before 2.2.2.

However, although the bug is fixed in Android 2.2.2 and later, it's up to individual carriers and smartphone vendors to make sure that the patch is rolled-out to users running older versions of Android.

In other words, if you're running an older version of Android on your smartphone, you may still be vulnerable to an attack like that conducted in the information-stealing Droid Dream attack.

Android 2.2.1So, if your smartphone is still running the "Eclair" version of Android, for instance, you might be at greater risk than a friend who has a smartphone running the "Gingerbread" flavour.

As a security-conscious Android phone owner you might find yourself having to make a choice as to whether you want to wait for your mobile carrier to send you this critical security patch over the airwaves, or install a custom ROM on your device.

There are so many devices running so many different flavours of Android, ensuring that all of them are kept up-to-date with security patches becomes a very serious problem. And it's one that is largely out of the poor phone owners' hands - all they can do is try to make their voices heard and hope that someone at the mobile carrier/smartphone manufacturer is listening.

You have to wonder if this is a security model that is going to work effectively as more and more people start relying upon smartphones as part of their daily lives.

, , , , ,

You might like

13 Responses to Android malware clean-up exposes reliance on mobile carriers to push out updates

  1. Kim · 1304 days ago

    where can I get gingerbread?

  2. Andy Vines · 1304 days ago

    I've been running Gingerbread, as a custom ROM, on my LG GT540 for a couple of weeks.

    LG, when emailed, have stated that 2.1 was all that they were going to release for my phone, so any further development is in the hands of private individuals. This is not too much of a worry, as Android IS an open-source OS.

    But, for those that are not comfortable will voiding their warranty and messing about with custom builds, the implications are that they will ALWAYS be at risk. It is up to the phone makers to continue supporting phones, as opposed to the current trend of "We'll support one, maybe two upgrades, and then that's it!"

    Kim....Depending on what phone you have, you should search around for the 2.2.2 or 2.3 build

  3. Nick Verticelli · 1304 days ago

    People may bash Apple and the iPhone but this is the reason why a "closed" "walled garden" system works. If an attack is found, Apple just updates iOS and sends it out through iTunes to its one model phone. One OS on one phone (iPhone) rather than a ton of different phones on a ton of different Android varieties and you don't have to rely on AT&T or Verizon to provide updates. I know as an iPhone owner that my iPhone is running the latest OS, and that if an update is released because of a security attack I'll get it as soon as I plug in to iTunes and not pray that some half-assed phone carrier is going to decide that my model phone isn't getting an over the air update while my friend's other brand and model is. Tell me again how good "open" is when you're at the mercy of one OS maker, two carriers, a handful of phone manufacturers and dozens of phone models with each manufacturer, and none of them are running the same version of Android or working together to benefit the consumer. What good is releasing a new Android version to fix security holes when half to two-thirds of the phones won't get the update because the carriers won't send it out?

    • Spidge · 1304 days ago

      That's assuming that Apple decide to tell you about the security breach, or even find it before the hackers do. And if they do tell you, it assumes they bother to fix it.

      I'm not an Apple or Android user, so have no particular axe to grind, but with the open source model at least you have the chance of someone else fixing a problem for you when your supplier doesn't.

    • You seriously don't believe that because the update exists, Apple users update automatically? They don't. Most don't bother updating for any number of reasons among them being, they are clueless as to what an update is and or why they need to bother since their phone is currently "working OK".
      Not to mention Apple users have been sold the idea that they are immune to malware attacks. Security by obscurity is the Apple hallmark so before you begin to hand out awards, none of those affected ever read nakedsecurity.sophos.com or any technical rag. I'm in the support business and see them daily and they don't know squat but hype.

      • Nick Verticelli · 1304 days ago

        There is no need to know what an update is or why they need to bother. They have to plug their iPod touches or iPhones into iTunes at some point during the life of the device to put on their "kewl" music or pictures. As soon as they do, BAM!, iTunes says "hey, there's an update CLICK HERE!" Of course, they can just dismiss it because it's annoying them, but if you've ever spent 5 minutes in a jailbreaking forum you'll see tons of people with posts like "I updated my phone by mistake and now I can't jailbreak it!" or "I clicked the update button when it told me to and lost my jailbreak, what do I do?" so I'm leaning more toward the notion that the clueless like to blindly click the "OK" button rather than the little X in the corner that closes the update window. Heck, even my 75 year old father will blindly click OK when he gets the popup that says he needs to install Antivirus 2009 and other rogue apps. It's this "OK button clicking" that keeps my repair business going and makes me money with virus removals. :(

      • Nick Verticelli · 1304 days ago

        (Part 2) As for your statement that Apple users think they're immune to viruses and spyware, I couldn't agree more. This is the reason I'm not a 100% Apple "fanboy" (I hate that word...) complete with all their "we don't get viruses" smugness. Yes I own an iPhone but that's because I didn't like the smartphone alternatives at the time of purchase and although the phone has its faults, it does what I need it to do and it does it very well. But I'm also a primary Windows 7 user dual booting Ubuntu and will continue to be as long as iTunes (which unfortunately has become a bloated, poorly written piece of software at this point) runs on Windows 7.

  4. Andy Vines · 1304 days ago

    Nick, it is not the phone carriers that are the problem. It is the phone makers, as described above. They may not necessarily continue to upgrade the OS, preferring to concentrate on their newer models. That is, frankly, unacceptable in my view.

  5. This is one of my main concerns with Android: Due to the wide range of manufacturers and providers in comparison to the iPhone; important security updates are often delayed, or never considered through official channels. Continued support beyond a year or so of a handset's release by the manufacturer isn't considered a good financial decision by the company, so they get left wide open.

    Even when they are trying to keep handsets up to date, providers will often lag months beyond the AOSP Android code due to testing and lack of resources - or longer, I seem to recall some handsets were receiving updates for 1.6 over a year after it's official release. Even after that, most providers will take their time re-customising any updates with their branding and bloatware, before retesting again and pushing it OTA.

    I'm quite surprised that Google themselves aren't pushing manufacturers to keep their older handsets more up to date. It's only made worse when some manufacturers start blocking off the paths and exploits used to root phones; meaning even those of us who are using AOSP based unofficial ROMs can't keep our phones up to date.

    Hopefully, as more Android exploits and security scares appear, either manufacturers/providers will start making a concerted effort to keep their phones secure, or people will become more aware of the dangers of phones from security-ignorant sources, people may possibly vote with their wallets. Either way, for Android based handsets to keep doing well, this trend needs to change.

    To all of the pro-Android readers out there, I should point out that I post this as an Android user, except that I tend to keep my phone up to date with unofficial AOSP based nightly ROM builds.

  6. Ralph · 1304 days ago

    Folks, I have news for you. The overwhelming majority of smartphone users are not like you. They haven't the time, inclination or background to fuss with "ASOP based nightly ROM builds". Nor should they have to. They want, and deserve, phones that "just work," and the fact that you look down on them for that is simply wrong.

    This is exactly what I most object to about Android: it supports the interests of the technorati priesthood over those of the the end users. Not to mention the fact that it enables carriers to force their customers to buy new phones every year or two.

    • Richard · 1169 days ago

      Would you also complain then if you bought a car and a few months down the line someone broke into it and then the company refused to install bullet proof glass windows for you? or if you bought a mountain bike and your tyre got a puncture which you didn't know how to change, would you blame the company that sold you the mountain bike, the company that made the mountain bike or yourself for never learning how to change a tyre?

      If you want a phone that just works and can do everything then get an iPhone not Android. This is the same reason I never used to recommend Windows Mobile to anyone. I had Windows mobile with custom Roms and it did everything I wanted to, when other people used to say they wanted my phone, as soon as I explained how I got it to be like that they would just go out and buy an iPhone instead.

      If you want a phone that "just works" buy an iPhone, that is why they are so popular, because most people don't have the time or knowledge to spend ages messing around making their phone just how they want it, they want the manufacturer to do it for them. If on the other hand you are more technical minded and enjoy tweaking settings and installing custom roms go for an android device, or even WinMo.

      What you are saying is that you should be able to buy an android device (and probably one of the cheaper ones if its not getting updated) and the companies who make the little bits of money from it should continue to pour money into your device to make it perfect all the time thats just not how business, or this world, works. If companies continued to make every product they made perfect and as good as the new ones, people would stop buying their new products.

  7. Andy Vines · 1303 days ago

    I'd disagree with you, Ralph.

    No-one is being forced to "buy new phones every year or two". Fashion does that quite nicely, thank you, and that has always been the way. People are always looking for the next thing to buy. Maybe that is why manufacturers don't continue support?

    I think that that is the real problem.

    Why should I have to go to a custom ROM to get the latest Android version for my phone? The companies should be pushing out the new versions, as soon as they come on the market.

    Finally.....LG UK also announced that there are no plans to upgrade MY phone to 2.2, as the hardware is not capable of supporting the OS.

    Funny how I now have 2.3 on my phone, isn't it?

  8. Rui Martins · 1199 days ago

    HTC, also says that HTC Tattoo also won't be upgrade, due to lack of performance or some bullshit like that. This succker (HTC Tattoo) is still running:
    - Firmware 1.6
    - Kernel Version 2.6.29 (htc-kernel)
    - Software version 1.67.405.70

    I have been tempted to upgrade do a custom ROM too, but since it has been working almost flawlessly for the last months, I haven't bothered yet.

    Security upgrades should be automatic, if specificly related to the Kernel or Android structure!

    The problem is in the provider/manufacturer software, that is not updated due to financial reasons, they just don't care, if there isn't money on it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.