Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

Filed Under: Android, Google, Malware, Mobile, SophosLabs

Only a couple of days after Google published its Android Market Security Tool - that removes all malicious applications infected with Droid Dream malware and prevents their installation - a malicious version of the tool appeared on alternative Chinese application markets.

The Trojanized version of the tool is packaged with open source Java code taken from a project hosted on Google's own online source code repository. The project includes functionality to send MMS messages in the background, for example, when the device boots up.

A suspicious user will immediately notice the difference between the fake and the real Android Market tool if they check the permissions required at installation.#

While the original tool only requires three permissions, the Trojanized version requires additional permissions for "Services that cost you money" as well as the device location.

Another difference is in the version number of the package. The original Google tool version is 2.5 while the fake tool's development is lagging behind a little, being "only" on version 1.5.

The latest attack does not affect Android Market but there may be many people, especially in China, happy to install a free Google's tool which will protect them against attacks by a malware family.

An attack pattern of creating a fake security tool that detects non-existing threats is very common in PC world and already brings a lot of income for cybercriminals.

Judging by the popularity of Android devices and the recent increase in malware attacks, it may be just a matter of time before we start seeing highly suspicious products like Antivirus Android 2012 on the market.

Personally, I think that the ability to install non-market applications and ability to create third party application markets was a mistake for Google's Android team from the security point of view. This path is leading us to Windows-like threat levels.

Sophos products detect the fake Android Market Security tool as Troj/Bgserv-A.

, , , ,

You might like

4 Responses to Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

  1. Guess this is another case of people needing to be trained in how to properly and safely use their devices, as usual. Almost all of these attacks have relied solely on the user being gullible and too trusting. I'm surprised Google allows installation of these types of applications and services as well.

  2. Now I see fake avs are also affecting Android users. Fake AVs was once a computer only threat but now its spread to mobile phones!

  3. David · 1288 days ago

    Another good example of why it pays to read the ts & cs when installing any app, it's nice to have an open market unlke the locked down iPhone but users could definately benefit from a little knowledge before they start using their Android phones

  4. DekeTheGeek · 860 days ago

    Maybe Google should implement some sort of workflow-type setup for the market may help. If apps have a 'cooling off' period, it would give the security team time to remove those that are malicious before anyone can download it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.