Google remotely removes Android malware
Google is currently using the "remote removal function" to remove malware from devices running a version of Android prior to 2.2.2. The apps were reportedly discovered on and removed from the Android Market a few days ago. In a blog posting, Google has also said that the accounts of the responsible developers have been suspended and that legal steps are being taken.
The "affected" devices will receive a patch to "undo the exploit" over the next 72 hours, said Google. It remains unclear whether this includes all devices running vulnerable versions of Android, or whether the patch will only be deployed to the devices that were actually infected. Google has also announced that it is adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market.
According to security firm Kaspersky, the malware exploits the same hole that is used for "rooting" Android devices. The bug was apparently only fixed in Android 2.3. Kaspersky said that the program initially only steals such unique device data as the IMEI identifier and transmits this data to a server in an XML segment via HTTP POST. Reportedly, the malware then sets a flag that prevents the upload of further data and installs the sqlite.db file in the DownloadProvidersManager.apk package. The injected module apparently reads a list of file names from the server. Kaspersky speculates that the malware authors were planning to monetise their trojan by installing adware on the affected devices.