Google recently activated a remote ‘kill switch’ to remove two Android apps from the Android Market AND from the user’s phone.
“Every now and then, we remove applications from Android Market due to violations of our Android Market Developer Distribution Agreement or Content Policy” said a posting by Rich Cannings on the Android developer’s blog.
“In cases where users may have installed a malicious application that poses a threat, we’ve also developed technologies and processes to remotely remove an installed application from devices”
In the recent case, Google removed two applications that were built by a security researcher for research purposes.
“These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission .INTERNET” said Cannings.
The thing is, Google didn’t mention who the security researcher was or what the applications were about.
It turns out it was Jon Oberheide and on his own blog spot he explains that his application ‘RootStrap’ was intended as an example of an application that could be used to bootstrap a rootkit onto Android phones via the Android market. Oberheide put RootStrap onto the Android Market masquerading as a Twilight Eclipse Preview.
“The Twilight app was actually just RootStrap in disguise, displaying a Twilight image while phoning home to check for new payloads to pull down and execute. Obviously, none of these payloads were actually malicious in nature” wrote Oberheide.
“RootStrap phones home periodically to fetch remote native ARM code and executes it outside the Dalvik VM. An attacker could use such an approach to gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device” he said.
Oberheide also discovered during his ‘research’ that not only can applications be remotely removed, they can also be remotely installed too and that poses a much bigger threat.
“While remotely removing apps might ruffle the feathers of people who like the feeling of having full control over their device, the remote install functionality is of more concern from a security perspective
“You better believe that myself and others are taking a careful look at these code paths” concluded Oberheide.
