Skip to content

Fake Android Market Security tool

March 15, 2011

Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

Amplify’d from nakedsecurity.sophos.com

Fake Android Market Security tool delivers more than just a cure for Droid Dream malware

Only a couple of days after Google published its Android Market Security Tool – that removes all malicious applications infected with Droid Dream malware and prevents their installation – a malicious version of the tool appeared on alternative Chinese application markets.

The Trojanized version of the tool is packaged with open source Java code taken from a project hosted on Google’s own online source code repository. The project includes functionality to send MMS messages in the background, for example, when the device boots up.

A suspicious user will immediately notice the difference between the fake and the real Android Market tool if they check the permissions required at installation.#

While the original tool only requires three permissions, the Trojanized version requires additional permissions for “Services that cost you money” as well as the device location.

Another difference is in the version number of the package. The original Google tool version is 2.5 while the fake tool’s development is lagging behind a little, being “only” on version 1.5.

The latest attack does not affect Android Market but there may be many people, especially in China, happy to install a free Google’s tool which will protect them against attacks by a malware family.

An attack pattern of creating a fake security tool that detects non-existing threats is very common in PC world and already brings a lot of income for cybercriminals.

Judging by the popularity of Android devices and the recent increase in malware attacks, it may be just a matter of time before we start seeing highly suspicious products like Antivirus Android 2012 on the market.

Personally, I think that the ability to install non-market applications and ability to create third party application markets was a mistake for Google’s Android team from the security point of view. This path is leading us to Windows-like threat levels.

Sophos products detect the fake Android Market Security tool as Troj/Bgserv-A.

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.

Read more at nakedsecurity.sophos.com

 

One Comment leave one →
  1. September 17, 2011 5:54 am

    If you’d like to conversate more on social media, and mobile device privacy and security, stop by techsafely.com, a new blog focusing on how to protect yourself and your privacy while using the modern web.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: