Late last night Google finally published an official response to the dozens of malicious Android applications that had infiltrated the Android Market. Updated.
Within the response, the company confirmed that there were 58 malicious applications total, and that they were indeed downloaded by approximately 260,000 devices before Google was able to remove them from the store. While that may seem like a lofty, dangerously high number of infected devices, Google also went on to claim that only a user's IMEI number was ever beamed away to parties unknown.
Google went on to say the company is activating a "kill switch" feature that will grant them the ability to remotely zap malicious applications without any input from the user. Furthermore, the Android Market will be receiving a future security update that will address this vulnerability.
We spoke with a Google rep today to clarify the vulnerability and update process for this security issue. First, the backdoor vulnerability exploited by these malicious apps has been closed by Google, and users will not have to reply on their device's manufacturer or the carrier to receive the update. For further detailed information on the closed backdoor and future security updates for the Android Market, head over to the Google Mobile blog, where a rather detailed explainer of what's going on and what's being done went up at 10 p.m. last night. This section updated at 3:00 EST with clarification from Google.- j.l.
Lastly, the letter Google is sending affected users, as obtained by Techcrunch:
You are receiving this message to inform you of a critical issue affecting your Android Market account.
Hello,
We recently discovered applications on Android Market that were designed to harm devices. These malicious applications ("malware") have been removed from Android Market, and the corresponding developer accounts have been closed.
According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).
However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says "Android Market Security Tool March 2011" has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.
To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection.
For more details, please visit the Android Market Help Center.
Regards,
The Android Market Team
This is all very unsettling, to say the least.
Update: We've been contacted by a Google spokesperson to clarify the section above on the security update. [Techcrunch]