In mid-February, an unknown developer posted a number of applications for the Android smart phone—titles including Bowling Time, Super Guitar Solo, and Dice Roller—to Google’s Android Market.
Two weeks later, a blogger discovered that these applications were actually Trojan horses—they contained malicious code dubbed DroidDream that was designed to infect a user’s Android phone. The attack creates a backdoor into the victim’s smart phone, allowing the attacker to install additional malicious software on the device.
On March 1, Google removed the Trojan applications; a total of 58 were found to contain the DroidDream malware. Google also said it had determined that approximately 260,000 Android phones had been infected, although no personal information was compromised. Google then used a feature built into Android that allowed it to remotely remove the rogue applications from infected devices.
Yet even now, as many as half of all Android users continue to be vulnerable to a software bug that DroidDream exploited. “Google’s fix removes the actual packages that exploited the flaw, but doesn’t fix the underlying vulnerability,” says Kevin Mahaffey, chief technology officer at mobile security firm Lookout, which has analyzed the malware.
With Android, each mobile phone company has its own build of the Android operating system so that it can include its own user interface, graphics, and branding. Although Google released an updated version of Android that fixed the vulnerability soon after it was discovered, at least 42 percent of phones run an older version that is still vulnerable, according to data available on the Android developer site.
Fixing phones properly requires hardware makers to create their own updates incorporating Google’s fix; they test those updates and pass them on to carriers, who also test the fixes before pushing them out to customers. Apps for Android devices, including ones developed by Google, could be updated through the Android Market, but system software has to be updated through the carrier’s channel.
“This is absolutely a problem—it is not timely enough,” says Zach Lanier, a security consultant with the mobile-security services firm Intrepidus Group. Lanier adds that many smart phones may never see an update because risk-adverse carriers are cautious about pushing software patches that could affect their networks. Manufacturers also have to deal with dozens of phone models, and testing the software against all those devices is labor-intensive. Google would not comment on Android security, but the company says it is working with phone manufacturers and carriers to fix the issues.