A new variant of the DroidDream Android malware has been detected in Google’s Android Market app store, prompting the removal of over 25 apps and raising more questions about security on the platform.
An estimated 30,000 to 120,000 users downloaded the infected apps. Dubbed DroidDream Light, the new malware doesn’t even need users to run the app to wreak mayhem — an incoming call is enough to activate it. It then sends some identifying data like the phone’s unique ID number to a server. The malware can download more malware that could get up to more mischief, but unlike the original DroidDream, can’t install it without user approval.
As in the March DroidDream outbreak, the malware was hidden in apps hijacked from legitimate developers and repackaged on Google’s app store. The company has reportedly removed the infected apps.
The incident highlights the ongoing issue with mobile app security, particularly on Android: namely, that users can’t necessarily trust everything on offer in an app store. Just as when downloading PC software, users need to exercise judgment.
That this comes as a surprise to many is probably a testament to Apple’s success with its own App Store, in which apps are more carefully vetted. The strategy has, at least so far, spared Apple the embarrassment of infecting users through the App Store and created an environment that spares users the responsibility of assessing an app’s reputation.
By comparison the Android app ecosystem remains a bit of a Wild West, but more technically inclined users may willingly accept the added responsibility for the freedom to install any app they’d like. Meanwhile, Apple’s tight App Store control has led to complaints: apps that may conflict with Apple’s business plans have been barred, for example.
Nonetheless, Google is now facing the possibility that Android will get a reputation for having malware issues. In May, a vulnerability was discovered that makes it possible to access personal data on an Android device connected to open Wi-Fi networks. The flaw was fixable on the server side of the equation, so Google was able to address it quickly.
However, flaws that require phones to be patched present problems because individual carriers have to approve updates to handsets, and in the past some carriers have delayed updates by months or never deployed them at all. Google recently announced plans to streamline this process, which should make relatively timely updates possible in the future.