Late last night Google finally published an official response to the dozens of malicious Android applications that had infiltrated the Android Market.
Within the response, the company confirmed that there were 58 malicious applications total, and that they were indeed downloaded by approximately 260,000 devices before Google was able to remove them from the store. While that may seem like a lofty, dangerously high number of infected devices, Google also went on to claim that only a user's IMEI number was ever beamed away to parties unknown.
Google went on to say the company is creating a "kill switch" feature that will grant them the ability to remotely zap malicious applications without any input from the user. Furthermore, the Android Market will be receiving a security update that will address this vulnerability, although there's a big catch.
The catch is one that Android users and developers are well aware of: Mainly, that while Google can produce the update and ask carriers to push it to their devices, there's no guarantee the update will be pushed in a timely manner. This is a system upgrade, and requires the carriers and hardware manufacturers push the update to their devices themselves. For the purposes of this update, a user's security is entirely within the hands of the carriers and hardware manufacturers. Yikes!
Lastly, the letter Google is sending affected users, as obtained by Techcrunch:
You are receiving this message to inform you of a critical issue affecting your Android Market account.
We recently discovered applications on Android Market that were designed to harm devices. These malicious applications ("malware") have been removed from Android Market, and the corresponding developer accounts have been closed.
According to our records, you have downloaded one or more of these applications. This malware was designed to allow an unauthorized third-party to access your device without your knowledge. As far as we can determine, the only information obtained was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).
However, this malware could leave your device and personal information at risk, so we are pushing an Android Market security update to your device to remove this malware. Over the next few hours, you will receive a notification on your device that says "Android Market Security Tool March 2011" has been installed. You are not required to take any action from there, the update will automatically run. You may also receive notification(s) on your device that an application has been removed. Within 24 hours of receiving the update, you will receive a second email confirming its success.
To ensure this update is run quickly, please make sure that your device is turned on and has a strong network connection.
For more details, please visit the Android Market Help centre.
The Android Market Team
This is all very unsettling, to say the least. [Techcrunch]