A security firm named Dasient studied 10,000 applications for Android smartphones and found that more than 8 percent of the applications are transmitting personal user data to unauthorized computers. This form of malware is designed to take control of a user’s smartphone. For instance, eleven of the malware-filled applications automatically sent text messages to entire contact lists, much like email spammers taking control of another account. If a user pays for SMS messages rather than an unlimited plan, it can easily rack up charges without any interaction from the user besides downloading the application.
Dasient CTO Neil Daswani also stated that the amount of infected applications has doubled over the last two years. It’s also possible that users are unknowingly installing malware when visiting a site. These efforts are called “Drive-By Downloads” because the user isn’t installing anything on purpose, but rather surfing or “driving-by”. This occurred earlier this year when a malicious website advertised cheats for the extremely popular mobile game Angry Birds. Another attempt happened last month with malware masking as Angry Birds add-ons.
The lack of regulation in the Android Market puts a portion of the blame on Google. While developers don’t have to put up with the long wait times of the Apple App Store approval process, the price of this freedom comes at the user’s expense. Without even the most basic security screening to make sure the application is free of malware, Google may watch the Android Market become riddled with more malware if the growth rate continues to rise over the next two years.
Beyond personal user data, the malware often leaks the IMEI number (specific to the phone) and the IMSI number (specific to the subscriber). With this information leaked to unauthorized servers, the SIM card in the phone can be cloned easily by the recipient or the data is likely sold in bulk to illegal organizations that create cloned phones.