Google removes Android malware so you don't have to
Android handsets infected with malware are getting a cleaning job from Google. On March 2nd, Google removed 21 apps from the Android Marketplace that contained malicious code (the number of infected apps is now 58). Now Google is "remotely removing the malicious applications from affected devices" and "pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices," according to a blog post by Rich Cannings, Android security lead.
Whoa. That's scary reassuring: Knowing Google can reach down to Android handsets to swat malicious code and undo its impact and simply that Google can reach down into devices at all. I mean whoa. "This remote application removal feature is one of many security controls the Android team," Cannings writes. Last year he defended the remote removal feature after Google nixed some applications. "This remote removal functionality -- along with Android's unique Application Sandbox and Permissions model, over-the-air update system, centralized Market, developer registrations, user-submitted ratings, and application flagging --provides a powerful security advantage to help protect Android users in our open environment."
I've got mixed feelings about the remote removal capabilities, which gives me mixed feelings of security and sense of Big Brother watching. So I ask: What's your feeling about Google's remote zap feature? Please answer in comments, or email joewilcox at gmail dot com.
On the evening of March 1st, Google became aware of the malicious apps, which were removed from the Android Marketplace "within minutes," Cannings writes. The 58 malicious applications exploited known Android vulnerabilities in some, but not all versions of the mobile operating system. Devices running Android 2.2.2 or higher aren't affected. Google believes that the malware only harvested IMEI/IMSI codes.
"If your device has been affected, you will receive an email from email@example.com over the next 72 hours," Cannings writes (he posted today at about 1 a.m. ET). "You will also receive a notification on your device that 'Android Market Security Tool March 2011' has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email."
Cannings didn't reveal the number of infected handsets and made nondescript promises about preventing something similar from happening again. "We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues." Which means what?
Did you download an app from the Android Marketplace that affected your computer? Unsure whether your phone is infected? "A user can determine if their device has been affected by visiting Settings > Applications > Running services and look for 'DownloadManageService' in the list of running services," according to a Google security notice. If you were infected, please share your story in comments, or email joewilcox at gmail dot com.