Openness – the very characteristic of Android that makes us love it – is a double-edged sword. Redditor lompolo has stumbled upon a perfect example of that fact; he’s noticed that a publisher has taken "… 21 popular free apps from the market, injected root exploits into them and republished." The really scary part? "50k-200k downloads combined in 4 days."Lompolo explains the situation quite well:
I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID.But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.
Justin pinged a contact at Google to bring the issue to their attention. In the time I’ve proofed this post, they’ve already checked the apps and are planning on pulling them from the Market[Update: holy cheeseballs, they've been pulled already! Took less than 5 minutes from first contact to pull!], as well as remotely removing them from user’s devices. Unfortunately, that doesn’t remove any code that’s already been backdoored in.
Let’s hope they’re quick to react – this is the ultimate Android Trojan to date, and it’s already been downloaded over 50,000 times.
Feel free to discuss this over at Droid Forums, or via the comments below.
Update: The publisher’s been removed entirely from the market, so you can no longer see the list of apps. Luckily, I managed to grab a few screenshots last night. There’s been a ton of response to this, and we’ve been contacted by a few big dogs. Justin is also working on a removal tool. I’ll be doing a follow-up post this evening. LINK
Posts
