Symantec is warning users of Android smartphones about a new group of malicious applications on the Android Market that contain a Trojan designed to steal information and possibly open a back door on Android devices.
The titles sound like the real existing mobile apps but they are not the real thing.
Kevin Haley, director of Symantec Security Respons
Symantec said the malicious code was found in more than a dozen arcade and action game Android applications written by iApps7 Inc. and Ogre Games. Titles include Counter Elite Force, Sexy Girls Puzzle and Hit Counter Terrorist. The applications, according to Symantec, could have been downloaded up to 5 million times. Symantec has notified Google about the malicious code, but some of the titles are still available.
“We’ve seen the approach where the bad guys take an existing legitimate application, modify it and post it onto the marketplace, but these seem to be created completely,” said Kevin Haley, director of Symantec Security Response. “The titles sound like the real existing mobile apps but they are not the real thing.”
The Trojan, called Counterclank, has been given a low risk level by Symantec, because the infection can be removed by simply uninstalling the application. The widespread availability of the applications has led Symantec researchers to believe the infection could be on millions of Android devices. “This is a classic Trojan horse where bad stuff is hidden within something that seems benign or seems perfectly fine,” Haley said.
A Google spokesperson declined to comment. Counterclank is very different from the DroidDream Trojan, which gained root access to the Android device. It appeared embedded within 50 applications in the official Android Market and forced Google to quickly remove the apps and deploy a security update to disinfect devices. The publishers that created the apps containing Counterclank state in the Android Market app description that the publishers install the homepage search feature and have access to browsing history and bookmarks.
Once installed, the applications contain the Trojan, which is designed to be a “bot-like threat that can receive commands to carry out certain actions as well as steal information from the device,” wrote Ifran Asrar, a researcher with Symantec Security Response. The malicious applications ask users for a variety of permissions, including access to information about networks, GPS location, and read/write access to the user’s browsing history and bookmarks.
Victims with an infection will see a search icon on the home screen. In addition to stealing the device’s MAC Address, SIM serial number and IMEI number, the Trojan can download additional files and display advertisements. Haley said the stolen data could be used to clone the phone and make long distance calls. The more interesting piece, according to Haley is the ability of the cybercriminals to run adware on the phone and download anything they want onto the phone, including additional malware.