Android Malware Found in Angry Birds Add-On Apps

Google recently removed at least 10 applications from the Android Market, all of which contained malicious code disguised as add-ons to one of the most popular apps of all time.

Each of the removed apps posed as a cheat or an add-on to Angry Birds, the much-lauded mobile application created by Finnish game development studio Rovio.

A number of the apps in question contained a spyware program called Plankton, which connects to a remote server and uploads phone information like the IMEI number, browser bookmarks and browsing history.

“Market descriptions for these apps included the statement ‘brought to you free sponsored by Choopcheec Platform,’” Lookout Security spokesperson Alicia diVittorio told Wired.com. “[They include] a link to an EULA that does seem to accurately describe the behavior observed to date. We do not see these as desirable behaviors and classify it as Spyware.”

Xuxian Jiang, an assistant professor of computer science at North Carolina State University, initially discovered the malicious applications last week, and reported them to Google on June 5. Google suspended the questionable applications the same day, “pending further investigation.”

Jiang found malicious programs other than Plankton in his research. YZHCSMS, for example, is a Trojan horse virus that jacks up your phone bill by sending large amounts of SMS messages to premium numbers. Jiang says apps containing the virus were available on the Android Market for at least three months before Google pulled them.

Jiang found a similar application, DroidKungFu, circulating Chinese application markets before YZHCSMS made its way to the Android Market. “DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version,” according to a Lookout Security blog post.

For many app developers, the Android Market offers a freedom not found in other application retail outlets. Unlike Apple’s strict application review process, apps submitted to the Android Market are published almost instantaneously. Many appreciate the freedom given to push programs out to the public at such a speed.

However, the Android Market’s app submission process comes at a cost. Google’s lack of vetting applications lends the Market to security vulnerabilities like these. Google mostly relies on a self-policing community — including researchers like Jiang — to spot offending apps, which means malware can sit in the market for months before someone spots it.

With a relatively open submission process like Android’s, this obviously isn’t Google’s first run-in with malicious app removals. Google pulled nearly two dozen malware-infected applications in early March, but not before close to 200,000 downloads occurred.

Going outside of the official Android Market for apps can be even riskier. Because users are able to download applications from alternative app markets — a feature unavailable to iPhone users — many have popped up over the past two years. Without Google’s moderation capabilities in these outside markets, users are more susceptible to downloading malicious apps. A Trojan with “botnet-like capabilities” popped up in early April, for example, highlighting the risk in going to alternative markets for applications.