When Google took steps to eliminate malicious apps that had invaded the Android Market, it published its own app, the Android Market Security Tool, to help with clean-up process. Despite warnings that end-users don’t need to actually install and run the app themselves, enough have been trying to that it’s caught the eye of more malware authors, who have created a trojan app built around Google’s tool.
Symantec discovered the rogue app where most of its kind seem to get their starts: a third-party Chinese app store. The repackaged Android Market Security Tool has been modified by its author to receive instructions from a server script and then send out SMS messages, presumably to incur charges for premium services.
The lessons to take away from this seem as obvious as “don’t play with matches in a room full of gasoline”; when Google tells you you don’t need to download an app, it’s probably not lying, and you should steer clear of these unofficial app stores where this kind of malware keeps popping up over and over again.
While some users may fault Android for not being an OS where security patches can easily be distributed, or where it’s too easy to install malicious apps, the fact that Android security problems are mirroring PC security problems says a lot for how far the system has grown.