Google removes more DroidDream malware — and some popular game emulators
Jun 1, 2011 — by LinuxDevices Staff — from the LinuxDevices Archive — 6 viewsGoogle has removed 26 apps from Android Market that contain malware called DroidDream Light, capable of stealing a significant amount of personal data. Meanwhile, Google has caught flak over its quiet removal of several game emulators from Android Market, with some observers saying the emulators are legal while other suggest Google may be caving to pressure from game console companies.
A total of 26 applications in the official Android Market were found to contain malware that can steal significant amount of personal data, Lookout Security reported May 30. The new DroidDream Light is a modified version of the DroidDream that infected over 50 applications back in March.
DroidDream Light is believed to have already affected "between 30,000 and 120,000 users," according to Lookout.
Lookout Security identified DroidDream Light after a developer noticed modified versions of his app and another developer's app were being distributed in the Android Market under another developer account. The company identified the malicious code "grafted" into the apps and found similarities between the new code and the previously analyzed DroidDream samples.
Google has since removed all of the apps known to be infected from the Android Market, according to Lookout. Five different developer accounts were behind the infected apps, including Magic Photo Studio, Mango Studio, ET Tean, BeeGoo, and DroidPlus.
Despite the name, DroidDream Light does not appear to be any less malicious or less complex than the original DroidDream. In fact, it can be considered more dangerous, as it does not depend on the user to launch the app to execute.
The malware also collects a lot of information, including the unique IMEI (international mobile equipment identity) identifier, IMSI (International Mobile Subscriber Identifier), SDK version, handset model, and information about installed packages on the Android device, Lookout said.
DroidDream Light is triggered when the "android.intent.action.PHONE_STATE" value is set, which can happen, for example, when the user receives an incoming phone call, according to Lookout. While the latest malware is capable of downloading new packages and prompting users to install them, the new version differs from DroidDream in that it can't actually perform the update without the user accepting and approving the update requests.
The apps also contained code that could be triggered when users received text messages, F-Secure researchers found. "The added code will connect to a server and send details about the infected handset to the malware authors," F-Secure Chief Research Officer Mikko Hypponen wrote. "So we're talking about a mobile botnet."
Google discovered and removed 58 apps on the Android Market in early March when DroidDream first broke on the scene. Google also took the unprecedented step of using its "remote kill switch," which allowed it to automatically remove the malicious apps that had already been installed on Android devices. The company made a number of changes to try to prevent this kind of infection from happening again.
Users need to use "common sense" when installing apps and check the permissions that newly downloaded apps are requesting, Lookout said. The permissions should match the features the app provides. For example, one of the infected apps was supposed to simply display images in a gallery format and "was originally harmless," according to Hypponen. The malware-infected "Magic Photo Studio" version requested permission for full Internet access and to be able to read phone state and identity.
Lookout recommends users install a mobile security app that scans every app being downloaded to ensure it is safe. Lookout, F-Secure, and Webroot are just a handful of companies offering a mobile security app for Android users.
Google kicks out game emulators
Google's removal of the DroidDream Light infested apps follows its more controversial removal of game emulator apps from Android Market this past weekend, as reported by Engadget and others. The company has since received mixed reviews for quietly removing the game emulators, including Nesoid (NES/FC), Snesoid (Super Nintendo), and N64oid (Nintendo 64), which replicate the functionality of old games consoles.
Google also revoked the developer privileges of Yong Zhang, who develops and sells the emulators, which also include the now removed Gensoid (Sega), Ataroid (Atari), Gearoid (Sega), and Gameboid (GameBoy). Zhang is now selling the emulators over at SlideMe.
Google received some pointed criticism from open platform advocates and game enthusiasts. Mashable's Elizabeth Warren writes that game emulators "have cleared various legal challenges in the past," and suggests that their illegality is far from a certainty. Nevertheless, she notes that Apple's App Store has long banned emulators.
As several observers, including Ars Technica's Ryan Paul, note, Google removed a Sony Playstation emulator called PSX4Droid from Android Market last month, and similarly banned the developer, "ZodTTD."
In addition, notes Paul, "the timing of the emulator takedowns is obviously going to raise some eyebrows" considering Sony Ericsson's recent launch of its Android-based Xperia Play gaming phone (pictured). "Sony likely views Android's robust emulator support as a competitive threat to its own Xperia Play content sales."
On ZDNet, Ricardo Bilton calls the emulator apps "the most recent casualty to Google's increasingly closed platform approach." Bilton goes on to write, "Console emulators are in a bit of a grey area, legally sanctioned (and mostly useless) providing they do not also include copies of actual games. This is why the removal of the apps is a bit strange."
On Appolicious, meanwhile, Marty Gobel takes a more neutral stance, suggesting that Google was in its rights to remove them. The question is, he wonders, why did it take them so long to act?
Gobel dismisses speculation that Google has a deal in the works with Nintendo as "doubtful." Instead, he suggests that "It's just more likely that Google is simply clearing shop as more scrutiny than ever begins to be cast on Android. And as for Google being so 'free' and 'open' — well, that seems to be dwindling too, as they begin to take a far stricter view of illegal content."
Fahmida Rashid is a writer for eWEEK. Eric Brown also contributed to this report.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.