It’s that time of year again, time to fill out your taxes and pay your part. We’ve seen more than a few examples of Tax and IRS related spam. Yesterday I received mail with an interesting approach:

I’m often asked about the real danger of Android malware. This is a difficult question as it has many factors to consider, such as your location, your device, how many apps you install, and how reckless you are with the apps that you choose.

There are two common factions often at odds with each other. There is one side of the argument that states that the threat to Android is overblown, and that because the number of malicious samples discovered so far is so small in comparison with Windows malware, it’s insignificant. In fact when a company discloses their findings and they show any type of marked growth in this sector, they’re often accused of scaremongering to generate sales.

A new blog update from Google promises a response to deal with the outbreak of the so called “DroidDream” malware that went live on the Android Market last week:

Malware in the Android Market Part 1

Malware in the Android Market Part 2

According to the blog, Google will initiate its remote-removal process by pushing the installation of a new app called “Android Market Security Tool March 2011.” We’ve had a look at this app, and it does not fix the vulnerability, it simply removes the applications known to be malicious. Google further promises changes to the market to deal with this type of issue and claims to be “working with our partners to provide the fix for the underlying security issues.”

Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, I found it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format. We have previously talked about this here: The Dark Side of the new Android Market

It's also interesting to point out that, just as our researchers predicted last year, the cybercriminals have started taking advantage of jailbreaking tools as mentioned here: The Dangers of Jailbreaking

One of the important observations here is that it is likely that these are not the only live malware in the Android Market. Kaspersky recommends that you always check all the permission requests that an application is requesting at install time. This also highlights the dangers of jailbreaking or rooting your devices. This particular root exploit has been detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j since February 1st, so if you are a Kaspersky Mobile Security user, you are already protected.

Kaspersky will continue to examine this sample and update with any future information.

UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.

A little while ago, Microsoft released an update which partially disables some autorun functionality on Windows operating systems prior to Windows 7. The update, known as KB971029, is intended for Windows XP, Vista, Server 2003, and Server 2008. The autorun function is used to automatically start installation processes from CDs, DVDs, and USB drives, as well as other types of removable media.

Autorun works by using a file named autorun.inf found in the root of the file system for removable drives. While this is a helpful process when used with a trusted resource, such as a software installer from a CD, it has long been a successful malware infection vector on rewritable drives.

At Kaspersky, we've frequently urged Microsoft to disable this process, as anything that automatically installs software or code without properly informing the user can and will be used maliciously. In the past we've discovered infected consumer devices, and the autorun function has been used to spread incredibly successful threats as Conficker (Kido). This listing gives you a partial idea of just how often "autorun" gets used as an infection vector.