Malware Plagues Android Market Again, Spreading Rapidly, Steals Bank Passwords
Two new forms of Android malware are now in the wild. The first one is a new variant of DroidDream Light, which has been spotted on the Android Market by Android anti-malware maker Lookout. The second one, a lot more serious, is known as Zitmo, has the ability to intercept banking data from unsuspecting users. These two threats have caused many to question Google’s policy on allowing all apps to make it to the platform without any previous approval.
According to the security firm that reported on DroidDream Light, this new variant was found to be embedded into four apps, all submitted by the Android Market user known as Mobnet: Quick FallDown, Scientific Calculator, Bubble Buster and a clone of Best Compass & Leveler, which is a credible app. All four apps were pulled from the Android Market, although 1000 to 5000 handsets were affected by this threat.
DroidDream Light is a serious threat, capable of performing unwanted tasks in the background with or without the user’s consent. This threat will also occasionally pop up download prompts for malicious software that users might accidentally accept.
Download an application from an HTTP server showing a notification with progress bar, and on completion fire an intent to prompt an install (parameters: description, title, packagename, url, filename)
While serious, the only damage DroidLight will cause will be to the handset itself. That’s not the case with Zitmo, a variant of Zeus which has plagued other platforms such as Windows Mobile and Symbian, which is aimed at stealing banking information from users. The new malware has both a PC and Android component in order to create a man-in-the-middle attack: once a user visits a banking website from a PC, the Android malware is triggered and listens to any incoming SMS messages in order to capture the authentication code from the bank’s site. Using that code, the malware can perform transactions on the user’s behalf.
The APK file itself has a 19k size. It passes itself off as a security tool from Trusteer. If a user installs the malicious application then the ‘Trusteer Rapport’ icon will appear in the main menu and that is what is going to be on the screen after clicking on the application’s link.
If you suspect you’ve downloaded an app with any one of these threats, you are not safe and should take action immediately by downloading an anti-malware program for Android. There are many out there, including free ones, such as AVG For Android and Lookout, both offering basic protection against a growing number of mobile threats.
Many are starting to believe that Google should have stricter criteria when approving apps into its official market place. While Android apps can be freely obtained from anywhere, including third-party app stores, Google’s very own Market should be there to provide users with a secure experience when downloading apps. Without drawing too many comparisons, a threat like this would very unlikely make it through Apple’s app approval process, which Google could perhaps learn from.
These are not the first major Android threats that have surfaced this year. The previous iteration of DroidDream had a much nastier impact, affecting between 30,000 and 120,000 people; along with another threat earlier this year, known as DroidKungFu.