Last week, Google launch an unusual security initiative by releasing its own “Android Market Security Tools March 2011” to remove the trojan DroidDream from infected users Android phones and devices. The action was unusual in that it was initiated by Google itself, rather than released to mobile operators who, in turn, pushed it out to customers.
Now, attackers seem to be using Google’s release as a new attack vector: Symantec has announced that new Android malware (which is has dubbed Android.BGserv) is circulating and posing as Google’s legitimate security update. The exploit seems to be set up to send SMS messages in response to commands it can receive from a command-and-control server, although so far it doesn’t seem to have been activated. Symantec says the malware was found in an “unregulated third-party Chinese marketplace.”
However, what may be most interested about this malware is that it appears to be based on an open source project hosted at Google Code and available to anyone under the terms of the Apache License.
The DroidDream trojan uses two exploits to download executable code to Android devices. Although Google fixed the vulnerabilities in Android 2.2.2, many Android users have not received updates from their carriers yet, and many older Android devices will not be updated to the newer software. Google’s Android Market Security Tool March 2011 does not actually patch the vulnerability on these devices, but does remove the DroidDream malware.