In the world of Android, a successful attack on applications hosted on Google’s Android Market is equivalent to a successful attack using Black hat search engine optimization routines, which are often seen in Windows malware, primarily in fake anti-virus software.
By exploiting the reputation of the most reputable content source, Android Market or a search engine, attackers can build a platform for launching attacks, often in the hope of making some money.
The latest two-pronged attack on the Android Market was launched by a malicious developer Logastrod. Logastrod exploited the ease of cloning Android apps, made “trojanized” copies of many popular games and uploaded them to the Market.
The attacker created at least a dozen copies of the most popular games and published them as a free version after adding code to send SMS messages to premium line numbers.
The malicious apps were published to the market early in the morning yesterday in pacific time, most probably to allow the attacker for more time before the applications are removed by the Google security team.
The list of cloned games included:
- Cut the Rope FREE
- NEED FOR SPEED™ Shift FREE
- Assassin’s Creed® Revelations
- Where’s My Water? FREE
- Riptide GP FREE
- Great Little War Game FREE
- World of Goo FREE
- Angry Birds FREE
- Shoot The Birds FREE
- Talking Tom Cat 2 Free
- Bag It! FREE
- Talking Larry the Bird Free
- Talking Larry the Bird
Misusing premium SMS services is the most common model for malicious mobile malware. When a malicious app is installed, it starts sending or receiving messages, which makes the installation very expensive for the user. The damage is often seen only when it is too late, once a monthly bill is received.
After more than a day on the market, the applications were pulled off by the Android Market security team. Google’s reaction has been quick, but not quick enough – at least ten thousand users downloaded one of the malicious apps from the list.
We have already stated several times that the requirements for becoming an Android developer that can publish apps to the Android market are far too relaxed. The cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps.
The attacks on Android Market will continue as long as the developer requirements stay too relaxed.