Incident: Malware Infected Android Apps Compromise Personal Data on Devices

Published Date: 2011-03-02

Postmortem Analysis
Timeline 1. The software failure incident of malware-infected apps on Google's Android Market, known as "DroidDream", happened in March 2011. [4722]
System 1. Google's Android Market 2. Android smartphones running Google's Android software 3. Apps infected with malware "DroidDream" 4. Security measures in place to prevent malware on the Android Market 5. User devices running the infected apps
Responsible Organization 1. Developers who injected malware into the apps and published them on Google's Android Market, such as "Myournet" and "Kingmall2010" [4722].
Impacted Organization 1. Users of more than 50 infected applications on Google's Android Market, potentially compromising their personal data and device control [4722].
Software Causes 1. The software failure incident was caused by the presence of malware named "DroidDream" in more than 50 applications on Google's Android Market, which compromised personal data by taking over the user's device [4722].
Non-software Causes 1. Lack of stringent checks and controls on the Google Android Market for app developers, unlike Apple's iPhone App Store which has a rigorous screening process [4722].
Impacts 1. Personal data compromise: The malware "DroidDream" discovered on more than 50 applications on Google's Android Market had the capability to compromise personal data by taking over the user's device, potentially exposing sensitive information such as IMEI and IMSI numbers [4722]. 2. Infected devices: It was estimated that as many as 200,000 Android devices could have been infected by the malware, highlighting the scale of the impact on users who had downloaded the affected applications [4722]. 3. Security concerns: The incident raised significant security concerns regarding the vulnerability of the Android Market to malware attacks, indicating a potential weakness in the platform's security measures [4722]. 4. Reputational damage: The discovery of such a widespread malware infection on the Android Market could have led to reputational damage for Google and the developers whose applications were found to be infected, potentially eroding trust among users [4722].
Preventions 1. Implementing stricter app review processes: Google could have prevented the malware incident by implementing more rigorous app review processes similar to Apple's iPhone App Store, where each app undergoes thorough checks for suitability before being allowed on the platform [4722]. 2. Enhanced security measures: Google could have incorporated stronger security measures within the Android operating system to prevent unauthorized access and malicious activities like the DroidDream malware. This could include better sandboxing techniques and real-time monitoring for suspicious behavior [4722]. 3. Regular security audits: Conducting regular security audits of the apps available on the Android Market could have helped in identifying and removing malicious apps promptly before they cause harm to users' devices and data [4722]. 4. User education and awareness: Educating users about the risks of downloading apps from unknown sources and encouraging them to be cautious while granting permissions to apps could have helped in preventing the spread of malware like DroidDream [4722].
Fixes 1. Google should implement stricter app review processes and security checks before allowing apps on the Android Market to prevent malware-infected apps from being distributed [4722]. 2. Google should proactively remove malware-infected apps not only from the Market but also from devices to which they have been downloaded to mitigate the impact on users [4722]. 3. Users should regularly update their devices with the latest security patches and antivirus software to protect against potential malware threats [4722]. 4. Security companies should develop and offer antivirus and anti-malware products specifically tailored for Android devices to enhance overall security [4722].
References 1. Android Police 2. Lookout 3. Reddit user "Lompolo" 4. Google 5. Security companies 6. "Myournet" 7. "Kingmall2010" [4722]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to malware-infected apps on Google's Android Market has happened before within the same organization. The article mentions that this incident is not the first case of malware found on the Market, indicating a recurring issue with malware infecting apps on Google's Android Market [4722]. (b) The incident of malware-infected apps on Google's Android Market has also occurred with other developers' products. Besides the developer "Myournet," two other developers' products were found to include the DroidDream malware. This suggests that the malware issue was not limited to a single developer but affected multiple developers on the platform [4722].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be attributed to the lack of checks and balances in the Android Market compared to Apple's App Store. The article mentions that unlike Apple's App Store, where every app undergoes a suite of tests for suitability before being allowed on the store, Google's Android Market does not have such checks. This lack of scrutiny makes situations like the malware infection harder to avoid on the Android Market [4722]. (b) The software failure incident related to the operation phase can be linked to the misuse of the system by users who downloaded infected apps. The malware-infected apps were able to compromise personal data and take control of users' devices, leading to potential security breaches. Users unknowingly downloaded these apps, which then exploited vulnerabilities in the system to carry out malicious activities [4722].
Boundary (Internal/External) within_system (a) The software failure incident related to the malware infection of more than 50 applications on Google's Android Market with "DroidDream" can be categorized as within_system. The incident originated from within the system as developers were able to inject malicious code into legitimate apps and publish them on the Android Market, leading to the compromise of personal data on users' devices [4722].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in Article 4722 was primarily due to non-human actions. The incident involved malware called "DroidDream" infecting more than 50 applications on Google's Android Market. The malware was designed to compromise personal data by taking over the user's device and had the ability to download more code, making it difficult to predict its actions after installation. The malware was first discovered by a Reddit user who identified the malicious behavior in certain apps, leading to the detection and subsequent removal of the infected apps from the Market by Google [4722]. (b) However, human actions also played a role in the software failure incident. The developers of the infected applications, particularly those associated with the developer name "Myournet" and "Kingmall2010," were responsible for injecting root exploit code into legitimate apps and republishing them on the Android Market. These developers intentionally introduced the malicious code into popular free apps, leading to a significant number of downloads within a short period. This human action of injecting malware into legitimate apps contributed to the spread of the malware and the subsequent compromise of user devices [4722].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The incident of malware infection on Google's Android Market, specifically the DroidDream malware, compromised personal data by taking over the user's device, which can be considered a failure originating from hardware vulnerability ([4722]). (b) The software failure incident related to software: - The DroidDream malware incident was a software failure as it involved malicious code injected into legitimate apps, exploiting vulnerabilities in the Android operating system to gain control over users' devices and steal sensitive information ([4722]).
Objective (Malicious/Non-malicious) malicious (a) The objective of the software failure incident was malicious. The incident involved malware called "DroidDream" infecting more than 50 applications on Google's Android Market. The malware compromised personal data by taking over the user's device, stealing information such as product ID, model, partner, language, country, and user ID. Additionally, the malware had the ability to download more code, making it difficult to predict its actions after installation. The developer behind the malware injected root exploit code into popular free apps and republished them, leading to a significant number of downloads in a short period. This malicious act aimed to gain complete control of users' devices and extract sensitive information to remote servers [4722]. (b) The incident was non-malicious in terms of the affected users who unknowingly downloaded the infected applications. Users who downloaded the apps were not aware of the malicious intent behind the software they were installing. The incident highlights the vulnerability of the Android Market due to the lack of stringent checks and balances compared to platforms like Apple's iPhone App Store. The rapid growth of the Android Market, fueled by the free licensing of the software, contributed to the ease with which malware could infiltrate the system. The openness of the Android platform, while a strength in many aspects, also posed a weakness in terms of security vulnerabilities that could be exploited by malicious actors [4722].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to the malware infection of more than 50 applications on Google's Android Market with "DroidDream" can be attributed to poor decisions made in the app approval process. Google's Android Market did not have the same rigorous checks and balances in place as Apple's iPhone App Store, allowing malicious apps to be uploaded without thorough scrutiny. This lack of oversight led to the proliferation of malware-infected apps on the platform, compromising the security and privacy of users [4722]. (b) The software failure incident can also be linked to accidental decisions or unintended consequences. The discovery of the malware was initially made by a Reddit user who noticed suspicious activities by certain developers on the platform. This incident highlights how the actions of individual developers, such as injecting root exploit code into legitimate apps, can have unintended and harmful effects on a large scale, leading to the compromise of thousands of users' devices [4722].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the case of the malware-infected apps on Google's Android Market. The incident involved multiple apps being infected with malware called "DroidDream," which compromised personal data on users' devices. The malware was injected into popular free apps by developers who had also posted pirated versions of legitimate apps. This indicates a lack of professional competence by the developers in ensuring the security and integrity of their apps [4722]. (b) The accidental aspect of the software failure incident can be seen in how the malware was first discovered by a Reddit user named Lompolo. The user noticed that the developer of one of the malware apps had also posted pirated versions of legitimate apps, leading to the discovery of the malware infection. This discovery was accidental and not a deliberate action, highlighting the accidental nature of how the malware was initially identified [4722].
Duration permanent (a) The software failure incident related to the malware-infected apps on Google's Android Market can be considered as a permanent failure. The incident involved more than 50 applications infected with malware called "DroidDream," which compromised personal data on users' devices. Google removed the apps from the Market, but it was not clear whether they had been removed from devices to which they were downloaded [Article 4722]. The incident highlighted the vulnerability of the Android Market due to the lack of checks and charges for developers to put apps on the platform, unlike Apple's App Store. The malware was discovered to have the ability to download more code after installation, making it difficult to predict its actions. This incident serves as a reminder of the strengths and weaknesses of Android's openness as a platform [Article 4722].
Behaviour crash (a) crash: The software failure incident related to the DroidDream malware on Google's Android Market can be categorized as a crash. The malware had the ability to take over the user's device, compromising personal data and potentially downloading more code after installation, leading to a situation where there was no way to know what the app would do once installed [4722]. This loss of control over the device and potential unauthorized access can be considered a form of crashing the system's intended functions.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, no_consequence, theoretical_consequence (a) death: There is no mention of any deaths resulting from the software failure incident in the provided article [4722]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [4722]. (c) basic: The incident did not impact people's access to food or shelter [4722]. (d) property: People's material goods, money, or data were impacted due to the software failure incident. The malware compromised personal data by taking over the user's device, potentially leading to data theft and privacy breaches [4722]. (e) delay: There is no mention of any activities being postponed due to the software failure incident in the article [4722]. (f) non-human: Non-human entities were impacted by the software failure incident. The malware infected more than 50 applications on Google's Android Market, potentially affecting as many as 200,000 Android devices [4722]. (g) no_consequence: The software failure incident had real observed consequences, such as compromising personal data on infected devices [4722]. (h) theoretical_consequence: The article discusses potential consequences of the software failure incident, such as the need for security companies to offer antivirus and anti-malware products for Android devices, as well as the possibility of security breaches due to the malware's ability to take complete control of a user's device and send detailed information to remote servers [4722]. (i) other: The article does not mention any other specific consequences of the software failure incident beyond those related to data compromise, potential security risks, and the need for enhanced security measures [4722].
Domain information (a) The failed system in this incident was related to the information industry. The malware-infected applications on Google's Android Market compromised personal data and had the ability to steal various information from users' devices, such as product ID, model, language, country, and user ID [4722]. The incident highlighted the vulnerability of the Android platform to malware attacks, impacting the production and distribution of information through mobile devices.

Sources

Back to List