Android, meet DroidDream

If you need proof that Android is surging in popularity, just look at all the malware being written for it.

Truth be told, I didn't want to write another post about Android this morning. It seems like we've written a lot about it in recent months and when you're the scribe, you start to get a little jaded after awhile.

And the latest malware news to reach my inbox isn't all that remarkable. My first thought was, "Oh, great. More FUD."

Then the Microsoft flashbacks started. I remember getting equally jaded whenever I had to write about the latest Windows vulnerability or worm. I hate to compare it to the movie "Groundhog Day" because it's not very original of me. But the comparison fits.

So here we are today, seeing almost-daily reports of some new malware designed to go after the Android phone. The similarity, obviously, is that Windows -- Internet Explorer, especially -- has always been a favorite target among hackers because it's so ubiquitous. Almost every business runs Windows, so why waste time on other things when you could shoot already-dead fish in a barrel?

That's why Mac users never had to worry as much. It's not that Apple built more secure products. It's just that the Windows environment was too target-rich to abandon.

As everyone's attention shifts to smartphones, Android is emerging as the target of choice. Perhaps I oversimplify things, but where there's a surge in market share, there tends to be the most smoke and fire.

The latest example comes in an e-mail I received this morning from Lookout Mobile Security, which read:

(Tuesday night) many instances of Android malware were discovered in the Android Market. A user on a popular news aggregator site, Lompolo, discovered the first instances of this malware after noticing that one of the apps he had downloaded had a duplicate -- but not from the original developer.

This repackaging of apps is something Lookout has seen outside the US where app markets are less policed.

Called “DroidDream”, more than 40 applications have been found to be infected and Lookout continues to discover more.

Google has already pulled several of the infected apps from the market and remotely removed the infected apps off of any device that previously downloaded it.

Like I said, there's nothing particularly remarkable here. Not to me, anyway. Smarter people may see it differently.

But it is one more example of how the mobile threat has really shifted from an abstract concept to reality.

If there's a bright side, perhaps it's that the providers will start fixing all the old-school flaws they've allowed into the mobile app code pool -- a problem Intrepidus Group researchers Zach Lanier and Mike Zusman outlined at the SecTor conference last fall.

In the rush to satisfy smart phone users hungry for new apps, the same mistakes that were made around 1999-2000 in the PC world are being repeated. After looking at the more popular phones like Android and BlackBerry, the two discovered, among other things, that:

--Intercepting one's credentials on an app like Foursquare is pretty easy.

--Storage apps -- popular among those who like to store and easily retrieve music and video on their phones -- contain security holes an attacker could exploit to cause a denial of service or bypass digital rights management controls.

--Carrier-based apps tend to trust you just because you happen to be on the carrier network.

--Third-party apps are sometimes better than carrier-based apps in this regard, but there's still incomplete support for open standards.

Man-in-the-middle attacks are fairly trivial across the board.

--It's trivial for a bad guy to replay a user's picture upload requests via a third-party upload app for BlackBerry and send their own, potentially malicious files to random accounts. Zusman said injection flaws in the picture upload feature abound and that it was fairly simple to inject their own XML attribute.

Lanier and Zusman concluded that in the mobile phone Web app world there's a lack of guidance, standards and best practices for developers.

"We learned about many of these weaknesses 10 years ago," Lanier said at the time. "We're forgetting the lessons we already learned."

--Bill Brenner

Join the discussion
Be the first to comment on this article. Our Commenting Policies