Now Symantec states that Google immediately took down the two applications they reported from the Apple store, but oddly enough F-Secure seems to feel that Google should have gone and removed anything relating to Mario Bothers even though the developer IDs were not the same. F-Secure went through the Play Store and found another developer that was using the same Dropdialer that Symantec noted in the different version of Super Mario Brothers.
Google Removed the two original apps (the images on Symantec site are two small to read the name of the developer, but it is clear it is one word) although we do not have a timeline (Symantec’s blog does not show original posting date, but only the last updated date and time) it looks like the apps were removed on the 9th which is when the malware was identified. Other companies uploaded new applications that follow the same trend and also download the same malware on the 6th of July again masquerading as different applications, but with different developer IDs. These same applications all target the Easter European region, it is a trend that is what Symantec is calling Market Spamming.
Now on first glance it looks like Google is not doing their job and they are letting malware in. This is what F-Secure and a few blogs would like you to think as well. However, the app themselves, as submitted to the Play Store, are not malicious and there is no indication in the code that they are malicious. It is not until you install the apps that you see the second half of the malware come into play. During the installation the malware asks you to allow it to download another app that it claims you need to use it.
If you click agree it downloads this secondary and malicious app called Activator (after warning you that it can send SMS messages and they may cost money). Activator then sends out the costly SMS message and removes itself. The social engineering here is that you need “activator” to confirm the installation of the app in some form. After it is done it removes itself as you no longer “need” it
Now Google has some responsibility here now that they have been informed of what to look for to identify and remove applications with a code reference to the same repositories. The problem is that it is very simple to change that and then push another app up. So there is no guarantee that this type of “fix” would work (which is what F-Secure seems to think). Now remember that Apple just had its first spamming app in iTunes (which they also removed quickly after being notified), but there is nothing to stop something from working the same way in iTunes, after all they have to leave in-app purchases open. This little loop hole leaves the door open for malware to be installed on an iPhone just as easily as on an iPhone. With Android the problem is that there are easier ways to push this up with limited effort (wall paper and ROM emulators etc). One other thing to note is that someone has to allow the secondary application to install in order to get this.
Apps are also easily scanned using a multitude of free malware checking programs from Symantec, Lookout Mobile Security, MacAfee and others. So while we think that there needs to be something done to ensure better app security in Google’s Play Store we also think that there needs to be a better education effort on the part of mobile phone makers (and developers) to make sure that the people using their products understand they are not secure and the downloading apps from ANY source can be hazardous especially any app that claims it requires a second component to work.
As Smart Phones and Tablets become more and more common the techniques and code to get through the “security” on them are also becoming more common. We took a look over this year’s Blackhat Convention and found a startling number of talks on exploiting ARM based devices, iOS Security, getting around the Bouncer in the Google Play Store, attacks on the baseband processors, and much more. This means that mobile phones and devices have truly caught up to PCs (all three kinds) as they now have the enough units in play to attract the attention of malicious coders who are relying on poor security at the gate and device coupled with a false sense of security on the part of users to steal from the people that use them.
Discuss this in our Forum