Malware found in Google Android security app

Market security tool found by Symantec Corp. to contain suspicious code

In the cat-and-mouse game of security being played out between Google and hackers who are inserting Trojan malware into Android applications, the ball apparently is back in the cat’s court.

Google released an application this week to remove malicious applications for Android phones that were found in Google’s Android Market. Researchers at Symantec Corp. now are reporting that they have found copies of the Android Market Security Tool that contain suspicious code.

“The technique employs nothing new,” said Joe Chen, director of engineering for Symantec Security Response. Malware writers routinely sail under false colors. “In this case there is a demand in the market to clean previous malware and Google has released a tool, so that is an opportunity for them.”

The infected applications being targeted by Google contained malware called Android.Rootcager, which has been rated by Symantec at a low threat level, with relatively few infections in the wild. The malware took advantage of known vulnerabilities which do not affect versions 2.2.2 or higher of the Android software. Removal of the malware can be done manually by simply uninstalling the applications.


Related stories:

Android an emerging target for cyber criminals

Google issues remote kill for DroidDream malware


Google removed the malicious applications from Android Market March 1, and this week released the security tool, which was pushed to affected users. The tool is designed to automatically run and uninstall malicious applications, and then remove itself when finished.

The Android.Rootcager malware was found in versions of the security tool on an unregulated third-party Chinese marketplace. After reverse engineering the software, it appeared capable of sending SMS messages if instructed by a command and control server. Symantec posted warnings of the tainted tool in blogs in Chinese as well as English.

Chen said it is not known if the malicious code has been executing on Android phones, or exactly what the purpose of the malware is.

“It has to be financially driven,” and could be used with key loggers to steal information or to distribute online ads to generate revenue.

Although mobile platforms such as Android phones do not lend themselves to the kind of high-bandwidth exploitation common with PC-based botnets, such as spamming and denial-of-service attacks, the consumption of extra bandwidth by malware contacting and downloading software from command servers could result in higher bills for the users, Symantec researchers have said. Malicious code also could send text messages to premium sites that charge to the user’s mobile bill for services or information. Phones also could be hijacked for long-distance service.

User responses to the security tool have ranged from “I think its an awesome thing that ur doing here!!! Thanks Android team!!” to “Why are people thanking Android/Google? This should have never happened in the first place. iTunes doesn't have this problem.”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, May 19, 2011 Confusedpick

Does this have anything to do with error code 'android.process.acore' ?

Fri, Mar 11, 2011 Pwoned

I've got a malware tool that will remove the malware tool that is supposed to clean out the malware that doesn't work. It's an awesome tool that will delete itself, and everything else you own, when it finished deleting the malware you thought you had. I am giving away this tool for free, cause I'm a friendly 12 year old with nothing else to do.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above