Only a couple of days after Google published its Android Market Security Tool – that removes all malicious applications infected with Droid Dream malware and prevents their installation – a malicious version of the tool appeared on alternative Chinese application markets.
The Trojanized version of the tool is packaged with open source Java code taken from a project hosted on Google’s own online source code repository. The project includes functionality to send MMS messages in the background, for example, when the device boots up.
A suspicious user will immediately notice the difference between the fake and the real Android Market tool if they check the permissions required at installation.#
While the original tool only requires three permissions, the Trojanized version requires additional permissions for “Services that cost you money” as well as the device location.
Another difference is in the version number of the package. The original Google tool version is 2.5 while the fake tool’s development is lagging behind a little, being “only” on version 1.5.
The latest attack does not affect Android Market but there may be many people, especially in China, happy to install a free Google’s tool which will protect them against attacks by a malware family.
An attack pattern of creating a fake security tool that detects non-existing threats is very common in PC world and already brings a lot of income for cybercriminals.
Judging by the popularity of Android devices and the recent increase in malware attacks, it may be just a matter of time before we start seeing highly suspicious products like Antivirus Android 2012 on the market.
Personally, I think that the ability to install non-market applications and ability to create third party application markets was a mistake for Google’s Android team from the security point of view. This path is leading us to Windows-like threat levels.
Sophos products detect the fake Android Market Security tool as Troj/Bgserv-A.