A number of 21 apps rigged with a trojan were pulled from the Android Market after at least four days during which they registered over 50,000 downloads.
The original report came from a Reddit user named "lompolo" who noticed
that one of the apps was actually a legit one republished by a different developer.
Apparently all of the apps under that developer's account had been stolen, repackaged with a trojan and published under different names.
Upon installation, the rogue apps executed a known exploit to obtain high privileges on the device which allowed them to deploy the malware.
According to Android Police
, the trojan submitted information about infected devices to a remote server, including IMEI and IMSI codes, product IDs, model, provider, language, country and user IDs.
The malware also had the ability to download and execute arbitrary code remotely. Its description is similar to that of the recently discovered
Geinimi trojan which is believed to be of Chinese origin and also uses repackaged apps as infection vector.
The developer of one app abused in this attack claims he unsuccessfully tried to contact Google about the issue for a week via DMCA notifications, malicious app reports and Android Market help.
Just as the security researchers predicted more than a year ago, Android is slowly becoming the focus of mobile malware. If things continue down this path people's confidence in the platform will suffer.
Google tried to fix the problem by using its remote uninstall ability to remove the rogue apps from infected devices. But it's doubtful that hackers really care about this as long as they can run unauthorized code before the company has a chance to react.
Add to this the problem of update deployment fragmentation which can lead to months passing by until users receive security patches, and Android doesn't look like a wise choice for security-conscious users.