All these days people have been cursing Apple’s app review policy and saying that Google’s Android Market is open and better. Well, here is a slap on the face of the open Android market. The publisher Myournet has been publishing scary malware apps that root your phone and steal your data. According to Android Police, the apps have the ability to steal your phone’s IMEI/IMSI, Product ID, Model, Partner (Carrier/Manufacturer), Language, Country and User ID. What’s even more scary is that the apps can download more malware code from the Internet which can do pretty much anything to anything in your phone
Myournet had published 21 free apps in the Android Market that accounted for 50k-200k downloads in just 4 days. As of now they have been taken off the market but here is a list in case you want to see whether you’ve already downloaded any of the app.
- Falling Down
- Super Guitar Solo
- Super History Eraser
- Photo Editor
- Super Ringtone Maker
- Super Sex Positions
- Hot Sexy Videos
- Chess
- 下å 滚çƒ_Falldown
- Hilton Sex Sound
- Screaming Sexy Japanese Girls
- Falling Ball Dodge
- Scientific Calculator
- Dice Roller
- 躲é¿å¼¹çƒ
- Advanced Currency Converter
- App Uninstaller
- å‡ ä½•æˆ˜æœº_PewPew
- Funny Paint
- Spider Man
- 蜘蛛ä¾
The malware apps were discovered by Reddit user Lompolo who explained the situation as follows.
Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.
Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the “rageagainstthecage” root exploit – binary contains string “CVE-2010-EASY Android local root exploit (C) 2010 by 743C”. Don’t know what the apps actually do, but can’t be good.
I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.
EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.
Looks like Google needs to start monitoring the Android Market more seriously. Such openness is not welcome.
[via MobileCrunch]
2 responses to “Scary Malware In Android Market Takes Over Your Android Device”
Openness is good, but there should be some good review system in place which checks for malicious code signatures.
Apparently these guys got their apps reviewed and shipped the malware as upgrades!