The Android team was informed of a number of malicious apps published to the Android Market last week. The apps were quickly removed from the Market, and they are in the process of removing the apps from devices.
The apps used a known vulnerability that affects versions prior to Android 2.2.2. It is believed that the attacker(s) were able to gather device-specific IMEI/IMSI, unique codes which are used to identify mobile devices and the version of Android running on your device. It was also thought that the apps had access to other data as well, which led the Android team to take remediation steps for those who downloaded the apps.
Caution: Check Permissions Before Downloading Apps
As a precaution, you should always check the list of permissions requested by any app you download from the Market. In addition, the Android team is looking into additional safeguards to prevent attacks of this kind in the future.
An example of permissions to be cautious about are apps that request read/write contact data. Unless an app explicitly states a specific feature that it would use your contact list for, there isn't much of a reason to give an application this permission. There are possible exceptions though. Typical apps that require this permission include: social networking apps, typing/note taking apps, SMS replacement apps, contact management apps.
Another example is an app requesting the permission to fine (GPS) location. While not a danger for stealing any of your personal information, this will allow an application to track where you are. If you’re not downloading a mapping app, maybe this app shouldn’t be installed.
The best course of action is to use common sense. If the app is tic-tac-toe, question why it should need to read contact information or identify your GPS location.
For more details, please visit the Android Market Help Center.
Jeff Gibson is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.