UPDATE 12/27/11: More Trojan Android apps have been found in the Android Market. Thirteen rogue Android games (the most popular apps – see below) were uploaded to Android Market over the weekend. The attacker known as “Logastrod” coded copies of the games with a Trojan by offering these popular apps as free versions after adding a code which sent SMS messages to premium rate service (PRS) numbers. The malicious Android apps were published to Android Market early yesterday morning (Sunday, Pacific Time), which security researchers believed allowed the attacker more time before the apps would be removed.
The list of Android games infected included:
Cut the Rope FREE; NEED FOR SPEED™ Shift FREE; Assassin’s Creed® Revelations; My Water? FREE; Riptide GP FREE; Great Little War Game FREE; World of Goo FREE; Angry Birds FREE; Shoot The Birds FREE; Talking Tom Cat 2 Free; Bag It! FREE; Talking Larry the Bird Free; Talking Larry the Bird
TIP: NEVER accept permissions like “send SMS messages and “read SMS or MMS messages” or “modify/delete SD card contents”. I’m not susprised people ignored these red flags.
Approximately 10,000 people had downloaded the Trojan SMS apps before the Google team had time to remove them. SMS PRS Trojan apps are not new. This is one of the most common attack vectors right now and has been for some time. Some SMS PRS Trojan apps can silently send and receive SMS and MMS messages meaning some people don’t realize they are a victim until it is too late i.e. when they check their mobile phone bill.
It does also make me wonder why on earth Google doesn’t have more stringent requirements when becoming an Android developer. The Apple and BlackBerry ecosystem is designed specifically to protect users from this type of attack vector. Google doesn’t appear to be making a great effort to introduce stricter app developer guidelines right now – it’s all about flooding apps to the Market to challenge the Apple App Store. A big thanks to the guys @Sophos for this report.
Safe surfing folks!