The root-kit tool was released to "to persuade manufacturers to fix a bug that lets hackers read a victim's email and text messages," according to report by Reuters.
"It wasn't difficult to build," said Nicholas Percoco, who leads Spider Labs. Working with a colleague, Percoco said it took about two weeks to develop the tool, which allows nefarious users to take control of the device and steal email and text messages.
Percoco distributed the root kit on DVDs at the Defcon conference, which is a meeting of around 10,000 security experts who can attend anonymously. Reuters noted that "law enforcement posts undercover agents in the [Defcon] audience to spot criminals and government officials recruit workers to fight computer crimes and for the Department of Defense."
Security issues hitting Android are contradicting the perception that malicious attacks are primarily directed at the largest installed base. The global installed base of Apple's iOS devices is at least four times as large as Android, which despite a lot of media attention, is still similar to Microsoft's beleaguered Windows Mobile in terms of market share.
Android's open-ended security defended
A day ago, security researchers at Lookout reported the potential for mobile software to take invisible actions that users were not aware were happening, noting that many apps on all platforms can gain access to private data, and specifically calling out a wallpapers app on Android for collecting device data, phone numbers, and voicemail numbers of users who downloaded the app, forwarding the information to servers in China.
At least one Android blog, Android Tapp, rushed to defend the platform, insisting that an initial report by Venture Beat was inciting "fear. uncertainty and doubt" by describing the data collection as "malicious."
The blog indicated that there was nothing wrong with developers collecting Android users' data without disclosure and for unknown purposes, suggesting instead that users should anticipate the full consequences of downloading third party software based on the permissions that software requests during installation.
While defending the developer involved in harvesting Android users' phone numbers, voicemail phone numbers, and device IDs through his "Jackeey Wallpaper" app, the Android fan blog pointed out that other Android wallpaper apps request permissions to read phone call information, read SD Card storage, and access contact data.
Following Lookout's report, Google pulled the wallpaper app in question, but other apps that do the same thing while requesting even more access to users' data are still available for download.
"True all users should indeed be aware of what they are installing from the Android Market," the Android blog concluded. "But was the mass negative press without covering the complete story warranted???"