Google Finally Uses Remote Kill Switch On Malware

Hugh Pickens writes writes "The Google Mobile Team has announced that in addition to removing the 21 malicious applications from Android Market that were downloaded 50,000 times, suspending the associated developer accounts, and contacting law enforcement about the attacks, they are remotely removing the malicious applications from affected devices. 'We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices,' wrote the team on their blog. 'For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).' Google's actions come after numerous complaints in tech publications. "Does Google really want its Android Market to gain the reputation of being a cesspool of malware? 'Certainly not,' wrote Nicholas Deleon in TechCrunch. 'But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.'"

Android security

Is this the way Android security will be handled (after-the-fact cleanup via the marketplace)? It just seems to me that since the manufacturers don't seem to be too keen on supporting their handsets for longer than it takes them to get the next model out the door, and since the service providers like to sit on updates or block them altogether the actual vulnerabilities are unlikely to be fixed.

I was stupid enough myself to buy a Sony-Ericsson Android device only for them to basically drop it a month later, so presumably it will always be vulnerable to the holes used by this round of malware?

within minutes?

[Bram+Stolk]

Google:
Within minutes of becoming aware, we identified and removed the malicious applications.

But from the comments in the blog post, we can read that:
This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.
According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.
I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.

Re:Way to go!

[thetoadwarrior]

Well yes you're right. Control is needed to try and attempt to keep quality high both in content and coding and to help keep security high.

Mobiles are different from desktops and I think resorting to virus scanning on mobiles would be awful. While Apple's approach is by no means perfect it is actually looking like the best solution. I just don't bother with the app market for my Android. There is a lot of shit in the market to sift through and while being concerned with how many apps ask for all sorts of permissions we're now finding out that actually a lot of bad stuff is getting through and not being found straight away.

I do think my next phone will be an iPhone. The games are definitely better and until Google proves to at least be more proactive on filtering out the rubbish then I just can't trust the apps and what is the point of a smart phone without apps?

If Google can tell me what the app needs access too then surely there is some way they could come up with a system that flags apps ask having questionable requirements and requiring someone at Google to personally review it before it makes it onto the market.

When you want people to tie all their personal information and even payment methods (ie Google Checkout) to a device it needs to have some sort of security. It is not good enough to kill it after it's been downloaded a quater of a million times. Alternatively they can come up with some sort of mobile virus / malware scanner and risk complaints about battery life and performance.

Re:GJ GOOGLE

[Deathlizard]

Except that it's unlikely that this will totally clean the problem.

This Exploit Rooted phones. That means Google lost control of the phone the second the user installed and run the malicious app. They could remove all of the malicious apps all day long but all that does is remove the Trojan Horse that dropped the rootkit.

As for the removal tool Google is planning to send. If the virus programmers have any sort of brain the first thing they're going to do is block the removal tool from removing the rootkit by sending a patch to the rootkit. It wouldn't surprise me if the rootkit doesn't phone home soon and download something to either spoof that the rootkit was removed or block the rootkit remover altogether and disable apps (either from Google or a third party) designed to remove the exploit. Google giving them a heads up through the blog post that they got 72 hours to code such a patch just made the virus writers job even easier.

Now I'm not saying that Google is handling this totally incorrectly. If I was Google, I would have taken many of the steps that they are currently doing, except I would not publicly lay out the plan until after it was executed. I know it would give Google Bad PR by sending apps without user knowledge, but it would have minimized a counterattack time frame from the virus writers and would have been the safer option overall. I just hope that Google has another strategy if this one fails, such as carrier involvement to recover and possibly disable remaining infected phones until it can be cleaned by a carrier tech.