Pwn2Own Chrome gets no takers; Android security gets taken

Trojanized security update undercuts Google's whole security approach

Kind of a good news/bad news day for Google and Android fans.

First, the extra $10,000 in prize money Google put up to anyone who could crack Chrome at the annual Pwn2Own contest yesterday stayed right where it was -- stuck between the seat cushions in Larry Page'sprivate plane.

No one cracked it, the news isn't as good as it sounds. Of the two teams that signed up to have a go at Chrome, one didn't show up and the other decided to focus on a BlackBerry vulnerability it particularly liked for a later cracking event.

Safari and Internet Explorer, on the other hand, went down to their first challengers.

The Pwn2Own contest isn't a hacker melee, like most of the contests at conferences like Black Hat.

Rather than replicating the Internet by sic'ing everyone on the same target at once, Pwn2Own requires teams to sign up ahead of time and "freezes" the code to be cracked two weeks ahead of time so vendors can't slip in patches at the last second to foil impending pwnership.

HP's Tipping Point security unit sponsors the contest and puts up $10,000 prizes for each successful Pwner; Google added an additional $10K as incentive.

Maybe it should do the same for Android, which has not only been getting hammered by malware and crackers lately.

If you want to tell a really good lie, start with the truth and change it a little to do what you want.

That, at least, was the approach taken by malware authors who put out what may be the cleverest Android malware attack so far -- one that appears to come from Google to make Android more secure.

It's a faked version of a real anti-malware release from Google called the "Android Market Security Tool" that is designed to fix changes caused by the Android.Rootcager virus.

According to Symantec, which discovered it on an unregulated Chinese software site, the "trojanized" version of the tool uses the same name as the original, installs itself, and sends SMS messages to a command-and-control server at this address: hxxp://

" Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License," according to Symantec's analysis.

More ironically, the Google used the legitimate version of the tool to force Android devices to clean out a virus called DroidDream after more than 50 applications on its app marketplace turned out to be infected with it.

It's a coincidence that the imperturbability of Chrome and impressively sneaky attack on Android came during the same week.

It's not a coincidence that even $20,000 wasn't enough incentive to get inventive crackers to spend some effort on a public crack of a heavily protected browser, while anonymous Chinese coders probably working for organized criminal organizations did seriously original work to compromise Android.

The focus of innovation -- in data, computing, chip manufacturing, OS development, web browsing, location-based services, data access, virtualization and (because I'm tired of typing all the categories) security are focused on smartphones and other handheld devices.

Not only are they multiplying like rabbits, their users don't expect big security risks, their software isn't as good at preventing it as on more traditional devices and the speed with which users, apps and data travel across them makes it even easier to propagate malware across mobile nets than wired ones.

It's almost a guarantee that, during the next few years, there will be more trouble coming from your pockets than in your laptop bag.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon