Google, in a late night Saturday update, said it was taking extra action to patch up a large-scale Android malware infection that highlighted the risks of the platform. Along with having pulled the apps, it’s now pushing an automatic update to compromised phones that will remove the privacy hacks. Anyone affected will get an e-mail first to let them know of the problem and a second after it had been patched, security head Rich Cannings said.
The company was also adding a “number of measures” in the Market to prevent more hostile apps and was working with phone makers and other partners to cure the root causes.
Google didn’t provide the full details of the exploit but acknowledged that the apps had scraped unique hardware identifiers and personal information, including a phone’s unique IMEI. The techniques let the app writers both exploit personal information and deliver hacks that could be targeted at individual phones. It also stressed that the hacks didn’t hit phones using Android 2.2.2 or later.
The company nonetheless didn’t answer questions of whether it would do anything to patch phones running the older platform and underscored a still ongoing problem with platform divisions
The accessibility of bug and security fixes has been a mounting issue for Android and has left only those devices running unaltered versions of Android, chiefly Google’s own Nexus One and Nexus S, getting the most reliable and safest software. Only Android 2.3 has a fix for random text messages and has reached just the 0.8 percent of the Android user base buying one of the two official Google phones.
