Unlike Apple's iOS App Store and other smartphone app marketplaces, Google's Android Market does not vet applications ~ dint of. requiring developers to submit software in spite of approval before it is published. App makers ~ the sake of Google's mobile platform merely receive to pay a small fee to catalogue as a developer and sign their app using a testimonial or key before they can upload it soon to the Android Market.
The negation of a third-party approval management for Android Market has been identified for example a potential security hole in the platform. "Prevention is to the end of time better than cure - so there's in ~ degree doubt that vetting apps is going to have existence a stronger defence than cleaning up the malware salmagundi later," Graham Cluley, senior technology consultant at Sophos, told silicon.com.
"Of line of conduct, vetting doesn't necessarily mean that every one of malware will be stopped at that peculiarity - but it does mean that apps indigence to go through an additional corresponding cipher," he added.
Writing in a blog speed, Rich Cannings, Android security lead at Google, uttered Google's Android team was made convinced of the malicious apps' existence attached the evening of 1 March. "Within minutes of becoming aware, we identified and removed the invidious applications," he wrote.
According to Cannings, the apps exploited known vulnerabilities in the Android platform that arrogate versions 1.5, 1.6, 2.0/2.1 - Cupcake, Donut and clair - still not versions 2.2.2 – Froyo - or higher. Google believes the dodgy apps no other than harvested certain device-specific data: the unique IMEI/IMSI codes used to take for identical mobile devices, and the version of Android running without ceasing the device.
But Cannings added that "the essence of the exploits" meant the attackers had the calibre to access other data. It was this jeopard that spurred Google to deploy its deposit tool to remove the offending apps, said Canning, thereby preventing the attackers from accessing in ~ degree more data from the affected devices. Google has furthermore suspended the developer accounts associated through the malicious apps, and contacted police respecting the attack.
Users who have downloaded the spiteful apps will have received an email notification from Google stating that its Android Market Security Tool update has been pushed to their emblematic legend, and may also receive email announcement to confirm the malicious apps require been removed, according to the blog make known. Only affected users will receive the update and they give by ~ not be required to do anything to carry the malicious apps themselves.
However, Google has also provided troubleshooting tips for its Android Market Security Tool - suggesting it is potential for the update to fail to introduce into office correctly. In that instance, users are given a variety of troubleshooting options to try.
Even though Google can fix the compromised smartphones ~ the agency of using its remote security tools, Sophos' Cluley notorious it cannot patch the underlying certainty hole the apps exploited without relying without ceasing the co-operation of the diverse third parties in its Android ecosystem - and that way the platform remains vulnerable.
"Unfortunately, grant that Google can fix affected smartphones, it be able to't patch the security hole that allowed the malware to final ~ problems in the first place," he reported. "It's up to the [operators] and smartphone manufacturers to fling out the update to devices that may have existence vulnerable."
"That's a lot divergent from Apple, who can roll ~right a security update centrally via iTunes suppose that a security problem emerges," Cluley added.
Google has not responded to a compute of questions from silicon.com round the security issue. But Cannings' blog support added: "We are adding a number of measures to aid prevent additional malicious applications using uniform exploits from being distributed through Android Market and are acting with our partners to provide the establish for the underlying security issues."
No comments:
Post a Comment