The Google app uninstaller remotely installs on the affected device, and then "launches itself, obtains root privileges, uninstalls the malicious apps and then deletes itself — without ever asking any user authorization," Kaspersky says in its analysis. "This approach has a number of similarities to the practices employed by malware authors." In addition, Kaspersky criticized Google "for dealing with symptoms while leaving the cause untreated." According to Kaspersky's analysis, "the update doesn't actually close the exploited hole in the Android debugging bridge."
Kaspersky continues to say "Apparently installing patches is generally almost impossible," citing a Kaspersky researcher who believes "this is due to Android's inability to install granular patches; furthermore, regular larger patch updates are reportedly difficult because of Android's use of the 3G data connection for syncing and updating with over the air updates."
Dozens of manufacturers take Google's updates and "bundle it into their build," which vary, and eventually the user should get the update over the air, says Nicholas Percoco, senior vice president and head of Trustwave's SpiderLabs. This issue may become a factor in how corporate users bring Android devices into official use in a corporate setting. Manufacturers and carriers that can prove they are fast and diligent about updating code could end up winning more corporate customers. That might make enterprise IT managers inclined to want to push for a sort of corporate standard for an Android as the patch and security issues are closely examined.
The DroidDream nightmare for Android could be seen as an opportunity for security vendors with specialized expertise.
"My initial reaction to this attack is 'I'm not surprised,'" says Neil Book, vice president of Juniper's mobile division which markets the Junos Pulse mobile-management and security software for Android. Book says Juniper's Pulse for Android would have kept the Android anti-malware from running. "We recognize it because of the heuristic engine," he says.
Book says he thinks that probably less than 5% of the world's smartphones have any type of anti-malware client on them. He expects to see smartphone-oriented anti-malware start to be offered eventually on an OEM basis with the service providers installing it "for free" on devices as part of their service. Book says Juniper has had this type of arrangement with British Telecom (BT) (BT) for two years, and expects to see the U.S. market take this approach.
Trusteer, which has specialized in anti-malware software to fight banking trojans that try to launch through compromised bank customer's computers but can be detected and eradicated, has announced a partnership with WorkLight to create "secure mobile browser apps" for both iPhone and Android.
Sign up for CIO Asia eNewsletters.