In mid-February, an unknown developer posted a number of applications for the Android smart phone—titles including Bowling Time, Super Guitar Solo, and Dice Roller—to Google’s Android Market.
Two weeks later, a blogger discovered that these applications were actually Trojan horses—they contained malicious code dubbed DroidDream that was designed to infect a user’s Android phone. The attack creates a backdoor into the victim’s smart phone, allowing the attacker to install additional malicious software on the device.
On March 1, Google removed the Trojan applications; a total of 58 were found to contain the DroidDream malware. Google also said it had determined that approximately 260,000 Android phones had been infected, although no personal information was compromised. Google then used a feature built into Android that allowed it to remotely remove the rogue applications from infected devices.
Yet even now, as many as half of all Android users continue to be vulnerable to a software bug that DroidDream exploited. “Google’s fix removes the actual packages that exploited the flaw, but doesn’t fix the underlying vulnerability,” says Kevin Mahaffey, chief technology officer at mobile security firm Lookout, which has analyzed the malware.
With Android, each mobile phone company has its own build of the Android operating system so that it can include its own user interface, graphics, and branding. Although Google released an updated version of Android that fixed the vulnerability soon after it was discovered, at least 42 percent of phones run an older version that is still vulnerable, according to data available on the Android developer site.
Fixing phones properly requires hardware makers to create their own updates incorporating Google’s fix; they test those updates and pass them on to carriers, who also test the fixes before pushing them out to customers. Apps for Android devices, including ones developed by Google, could be updated through the Android Market, but system software has to be updated through the carrier’s channel.
“This is absolutely a problem—it is not timely enough,” says Zach Lanier, a security consultant with the mobile-security services firm Intrepidus Group. Lanier adds that many smart phones may never see an update because risk-adverse carriers are cautious about pushing software patches that could affect their networks. Manufacturers also have to deal with dozens of phone models, and testing the software against all those devices is labor-intensive. Google would not comment on Android security, but the company says it is working with phone manufacturers and carriers to fix the issues.
In the personal computer industry, software makers generally release fixes more quickly. Automated software updates have become necessary features of applications and operating systems, and are typically applied frequently. As a result, PC and Mac users can expect to have issues fixed on their systems in 30 days on average, according to research by security firm Qualys.
Apple vets iPhone applications before making them available through the App Store—which Google does not do with the Android Market. But security fixes for the iPhone are also implemented more quickly because Apple does not rely on carriers to distribute security fixes for the operating system or for applications.”[Apple] doesn’t have to deal with a bunch of devices,” says Lanier. “Their walled garden gives them the control to react more quickly.”
“From a security standpoint, the more automated this stuff is, the greater the penetration of the patching will be and the better off everyone will be,” says Tom Cross, a security researcher with IBM.
Hackers are turning to methods that were originally developed to allow phone users to avoid restrictions imposed by carriers. This practice, known as “jailbreaking,” lets iPhone and Android users give their devices new functionality—such as turning it into a mobile Wi-Fi hotspot—without paying extra to the carrier.”The place where we are seeing mature reliable exploit code being disseminated are for vulnerabilities that people are using to jailbreak their phones,” says Cross. “Those exploits can be used for malicious purposes.”