Google Play Market Vulnerability and the Attack on Samsung Smartphones

Samsung Galaxy S and S2: Security Compromised

By the time this revised version of the article was posted we had not received any comments from Google or Samsung. Reps of each of the two companies promised to issue a statement today. Anyway, the story is getting clear and this is how it started.

Subject of The Issue

It began with the release of an update for the MTS Mobile Mail application on Google Play Market. It became available for all Galaxy S and S2 phones regardless of the carrier and the country.
Even if you did not have this app installed the notification prompting you to update would appear in your app list anyway. During the install the app asks you for a full access to phone functions including the SMS. This immediately suggest a malicious nature of the app.
After you have installed the app it cannot be removed from your phone via the My Apps list. Any standard procedure I tried failed to uninstall it.

Autoupdate

Every Android Package (APK) has an ID featuring the developer ID. The MTS Mobile Mail app ID is com.seven.Z7. It just so happens that Samsung's mail app has the very same ID. The company called Seven works with many manufacturers and carriers, the full list of their partners here
As one of our readers told us, the practice of using one ID allows seeing all the bug reports for a released app in the developers panel on Google Play Market. You can find more details on this procedure here
Google have foreseen possible issues due to the use of the same Ids so every app also features a unique developer key. The Android developer website clearly states it
The issue around the MTS Mobile Mail app was caused by the APK and the key having the same name (one and the same developer for some reason used the same ID). As a result your phone would show you the update notification and prompt you to install it. And since the mail app on Samsung phones is a system app it cannot be removed with standard means. However, the XDA-Developers forum found a way to remove the app without getting to root. You need to go to the task manager and delete Google Play market cache and all the data associated with the app then the MTS Mobile Mail app will be gone for good.
Yesterday morning Google blocked this app so no one could install it. Some users continued to see it in their update list but they could not download it.
Google have commented the situation for TheVerge. They say that the app has been removed from the Market and has not affected the users as it never installed on user phones. I cannot agree with this statement since I removed the app from my phone myself and most comments on the app’s page on the Market suggest it did install on phones.
MTS issued the following comment: ‘Google, Samsung and MTS are currently working with the developer of the app in order to resolve the situation as soon as possible. The software in question has all the require certificates and is not malicious’
I could not get Samsung or Google to comment on this.

Bottom Line

The MTS app is not a virus as I thought at first. The circumstances that led to this result look like a rare combination but alarming nonetheless. It is a serious vulnerability in Google Play Market security that someone could exploit to access vulnerable apps. This story spurred public discussions of the autoupdate problem and here is another case with HTC phones.
I want to refrain from assessing the possible risk and damage this app could do. The bigger problem is that the current distribution system can spawn more troubling cases. This could mean a hit to Android’s reputation. The app’s description page is rite with angry and rude comments by people who encountered the problem. I am sure Google want their users happy and will try to fix the problem as soon as possible. They have Apple App Store to look up to – they have never had problems like this one.