Remember the ridiculous outrage that ensued after Steve Jobs confirmed that there was a “kill switch” built into the iPhone which allows Apple to remotely delete malicious apps that somehow manage to sneak into the app store?
Well, Android has a similar feature and Google unfortunately had to employ it recently when they removed two misleading applications that were “built by a security research for research purposes.”
Google’s Android Blog explains:
These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.
After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup.
Sounds innocuous enough, and we can’t knock Google for remotely removing apps, but if the apps in question weren’t malicious, then why bother?
Well, Google’s description of events is pretty vague, so here are some details to fill in the holes courtesy of hackinthebox.
Security research Jon Oberheide uploaded an app promising never before seen pictures from the next Twilight movie. But hidden in the app was code that “phones hometo check for any new code that Oberheide [wanted] to add to the program, including any hidden control program or “rootkit” that he wished to install.”
The whole point of Oberheide’s exercise was to highlight what he claims is a serious security flaw in the Android Marketplace, namely that apps don’t require user permission “to fetch new executable code.” That being the case, a completely benign app downloaded to a users phone can potentially morph into a “much less friendly program.”
All in all, Oberheide tried to demonstrate how easy would be to create a mock botnet.
To take over those users’ phones, Oberheide would have also needed to exploit a vulnerability in Android’s Linux-based operating system. But he says that would have been fairly easy to pull off. According to research by the non-profit MITRE Corporation, there were 47 critical vulnerabilities in Linux found last year, up from just 27 in 2008. And Google has been slow to patch those vulnerabilities in Android, Oberheide says, often pushing out fixes to just a segment of users as a test before fully patching phones weeks later. “It’s absolutely trivial to win this race,” he says.
While Apple is routinely criticized for its admittedly arbitrary policing of its own app store, Google’s hands-off approach isn’t without its own problems.