Norman Safeground Blogs

insight, opinion & information


Google Uses ‘the kill switch’ to Remove Downloaded Malware

In Norman’s yearly summary of security incidents, we also attempt to look into our crystal ball to predict what will happen in the year to come. One of the forecasts made in our 2010 summary was:

More widespread malware for handheld devices will emerge.

Several examples in the first two months indicate that this forecast will turn out to be valid.

Perhaps the most interesting incident affected users of devices running Google’s Android operating system. Tuesday 1 March, Google’s Android team was made aware that malicious apps were available for download from Android Market.

TechCrunch reports that Google has confirmed that in total 58 malicious apps were available, and downloaded to approximately 260 000 devices, before they were removed from Android Market.

It turned out that the malicious programs were modified copies of legitimate apps. The malware, called DreamDroid, is therefore a trojan. IBM Internet Security Systems X-Force has made a detailed technical analysis of the malware.

In a blog posting 5 March, Google described the steps that the company had taken in order to mitigate the situation:

  1. Removed the malware from Android Market,
  2. Removed the malware from the devices that had installed the app(s),
  3. Pushed a security update to the affected devices, which reversed the exploits that were used,
  4. Added security measures to avoid apps using similar exploits from distribution through Android Market.

Only Android versions prior to 2.2.2 are vulnerable.

The security update mentioned in item 3 is called Android Market Security Tool.

The action described in item 2 above is the so-called “kill switch” or “Remote Application Removal Feature“. It is described in “Android Market Business and Program Policies“:

Product Removals: From time to time, Google may discover a Product on the Market that violates the Android Market Developer Distribution Agreement or other legal agreements, laws, regulations or policies. In such an instance, Google retains the right to remotely remove those applications from your Device at its sole discretion. If that occurs Google will make reasonable efforts to recover the purchase price of the Product, if any, from the originating Developer on your behalf. If Google is unable to recover the full amount of the purchase price, it will divide any recovered amounts between the affected users on a pro rata basis.

Google also used the kill switch last summer. In a blog posting Rich Cannings, Android Security Lead, wrote:

While we hope to not have to use [the remote application removal feature], we know that we have the capability to take swift action on behalf of users’ safety when needed.

As Aaron Gingrich in Android Police pointed out in a blog item:

Openness – the very characteristic of Android that makes us love it – is a double-edged sword.

My guess is that this is not the last time that Google will have to use the kill switch.

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



The Author:

Made up of various contributors' opinions and insights - the power of the collective.

Security Exposed Bloggers

Norman Safeground Blogs Archive