updated 11:15 am EST, Tue March 1, 2011
Trojan Android apps send premium SMS
Risks of the current Android ecosystem were underscored late Monday with a warning from Symantec about a new trojan. Known as Android.Pjapps, the rogue code has been installed in bootlegged Android apps and adds a secret backdoor that the malware writers can use to send text messages to a premium service, giving a profit to the hijacker at the user's expense. The app also has to collect vital device info, such as its IMEI number, to keep the hack working.
Among the examples of apps pirated so far include Steamy Window (legitimate copy). The hacked app does send notifications that it collects text messaging and personal info but is otherwise superficially identical to the app from the official store.
Google has control over what can appear in Android Market, but the discovery for Symantec underscored the risks of outside apps. It urged users to download only from "regulated Android marketplaces" and to turn off one of Google's key selling points, the toggle to allow non-Market apps.
While Apple has been criticized for using its App Store-only approach in a way that limits flexibility and potentially blocks competition, the company also hasn't had to contend with maliciously altered apps or other significant app-based threats. Most risks on iOS so far have come to jailbroken devices; while they have more freedom, the nature of a jailbreak also gives complete root-level access and opens the device to more risk than if Apple had enabled the feature itself.