Tens of thousands of users of Android-based smartphones have downloaded applications capable of taking over their phones with malicious software designed to steal data or send expensive messages, security experts have warned.
Google, the Android developer, has removed 55 such applications from its official Android Marketplace after being alerted to them by amateur and professional researchers.
The apps mimicked legitimate programs and carried such names as Chess, Bowling Time and Super Guitar Solo, but allowed the developers to exploit a security flaw in most versions of Android.
“This is the only outbreak of malware in the Android market I can recall,” Kevin Mahaffey, Lookout Mobile Security chief technology officer, said.
Google did not respond to requests for comment.
Users reported that, as of Tuesday night, the company had not acted to disable any malicious software that had been downloaded.
The revelation of the Android security breach adds weight to industry predictions that malicious software on mobile devices would become a significant issue this year.
Previous research and demonstrations had shown that it was possible for apps to escape the controls that are supposed to limit their powers on Android devices.
Until now malicious apps had not appeared in Android Marketplace, but in other platforms aimed at countries where the store does not function or that cater to apps for pirated content or subjects that would have seen them barred from Google’s pages.
The batch of malicious programs at issue this week, known collectively as DroidDream, took advantage of a security hole in Android that has been patched by some handset makers and in all of Android’s version 2.3.
The programs’ authors directed the phones to contact a website server for additional instructions. It is unclear what those instructions would have been, but they could have been designed to steal contact information, passwords or stored financial data, or to place expensive calls or send texts. Lookout Mobile, which alerted Google to some of the apps, said it had contacted the server but received no communication back from it.
Leading security software vendors have begun offering protection for Android and other models of smartphone, as they do for personal computers. But as such services rely on “signatures” of known bad programs, they cannot stop the installation of malicious apps before they are identified as causing problems.
Apple’s iPhones have also been targeted, but only where they have been tampered with by their owners to break free of contracts with a specific wireless carrier. Apple’s app store requires pre-approval for all programs displayed for download, while Google allows sales until customers complain.