Outline · [ Standard ] · Linear+ 21 de aplicatii malware gasite in Market, From: AndroidPolice.com

andy_trojan_thumb.jpg The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor Openness – the very characteristic of Android that makes us love it – is a double-edged sword. Redditor lompolo has stumbled upon a perfect example of that fact; he’s noticed that a publisher has taken "… 21 popular free apps from the market, injected root exploits into them and republished." The really scary part? "50k-200k downloads combined in 4 days." Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be. Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the "rageagainstthecage" root exploit – binary contains string "CVE-2010-EASY Android local root exploit © 2010 by 743C". Don’t know what the apps actually do, but can’t be good. I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice. EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA. I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless. Justin pinged a contact at Google to bring the issue to their attention. In the time I’ve proofed this post, they’ve already checked the apps and are planning on pulling them from the Market [Update: holy cheeseballs, they've been pulled already! Took less than 5 minutes from first contact to pull!], as well as remotely removing them from user’s devices. Unfortunately, that doesn’t remove any code that’s already been backdoored in. Let’s hope they’re quick to react – this is the ultimate Android Trojan to date, and it’s already been downloaded over 50,000 times. Feel free to discuss this over at Droid Forums, or via the comments below. The offending apps from publisher Myournet: Falling Down Super Guitar Solo Super History Eraser Photo Editor Super Ringtone Maker Super Sex Positions Hot Sexy Videos Chess 下坠滚球_Falldown Hilton Sex Sound Screaming Sexy Japanese Girls Falling Ball Dodge Scientific Calculator Dice Roller 躲避弹球 Advanced Currency Converter App Uninstaller 几何战机_PewPew Funny Paint Spider Man 蜘蛛侠 androidpolice.com

andy_trojan_thumb.jpg


The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor

Openness – the very characteristic of Android that makes us love it – is a double-edged sword. Redditor lompolo has stumbled upon a perfect example of that fact; he’s noticed that a publisher has taken "… 21 popular free apps from the market, injected root exploits into them and republished." The really scary part? "50k-200k downloads combined in 4 days."

Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.
Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the "rageagainstthecage" root exploit – binary contains string "CVE-2010-EASY Android local root exploit © 2010 by 743C". Don’t know what the apps actually do, but can’t be good.
I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.
EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.

I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.
Justin pinged a contact at Google to bring the issue to their attention. In the time I’ve proofed this post, they’ve already checked the apps and are planning on pulling them from the Market [Update: holy cheeseballs, they've been pulled already! Took less than 5 minutes from first contact to pull!], as well as remotely removing them from user’s devices. Unfortunately, that doesn’t remove any code that’s already been backdoored in.
Let’s hope they’re quick to react – this is the ultimate Android Trojan to date, and it’s already been downloaded over 50,000 times.
Feel free to discuss this over at Droid Forums, or via the comments below.
The offending apps from publisher Myournet:
Falling Down
Super Guitar Solo
Super History Eraser
Photo Editor
Super Ringtone Maker
Super Sex Positions
Hot Sexy Videos
Chess
下坠滚球_Falldown
Hilton Sex Sound
Screaming Sexy Japanese Girls
Falling Ball Dodge
Scientific Calculator
Dice Roller
躲避弹球
Advanced Currency Converter
App Uninstaller
几何战机_PewPew
Funny Paint
Spider Man
蜘蛛侠

androidpolice.com

Dar cand sunt urcate pe market de ce nu pot fi scanate inainte sa fie shared?

Pentru ca nu apareau virusii in semnaturile nici unui program de antivirusi, logic.

This post has been edited by argon: 2 Mar 2011, 13:38

parerea mea e ca ar trebui sa fie verificate programele din market.

Google tocmai a achizitionat o companie care cu asa ceva se ocupa. Poate pentru asta au cumparat-o.

Pentru Gingerbread 2.3.3 oficial, din ce am citit, inca nu exista un exploit pentru root, deci softurile alea nu pot face nimic. Dar e o chestiune de timp probabil.

argon - deloc logic, „he’s verified it does indeed root the user’s device via rageagainstthecage or exploid” - astea nu au apărut peste noapte și la o secunda peste noapte deja să fie pe Piață. Chiar și așa, ar putea fi scanate regulat. Dar probabil explicația e alta.