Google removed a number of malicious applications from the Android Market last week. The programs exploited a vulnerability in the platform that allows attackers to gain root access and apparently create a backdoor for deploying further malware. In a statement posted on the official Google Mobile blog this weekend by Android security lead Rich Cannings, the company has clarified the situation and described the steps it is taking to address the problem.

In addition to preventing further infection by removing the malicious applications from the Android Market, Google will also be using its remote kill switch to forcibly uninstall the application from infected handsets. The company is also pushing out an update to the Android Market that can reverse the exploit, thus preventing the attackers from using it to cause further damage. Google has already started to send out e-mails to affected users in order to explain the situation.

Although Google can deploy software to undo the damage caused by the malware, the underlying vulnerability that the attackers exploited can't be closed so easily. Google says that the bug is fixed in Android 2.2.2 and later, but there are still a large number of users at risk because their handsets runs a previous version of the operating system. Google is making a patch available, but it's going to be up to the carriers and handset makers to make sure that the patch gets deployed. In light of the mobile industry's poor track record updating Android phones, it's possible that this flaw will continue to be exploitable on a considerable number of handsets.

According to Cannings, the attackers only extracted a unique identifier for each device and didn't go any further, but they could still potentially use the deployed malware for more insidious purposes.

"We believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device). But given the nature of the exploits, the attacker(s) could access other data, which is why we've taken a number of steps to protect those who downloaded a malicious application," Cannings wrote.

Google also intends to adopt some measures that will block malicious applications with similar behavior from being distributed through the Android Market. Cannings didn't provide any specific details, however, about how that will be accomplished.

Google's response is reasonable, but it's troubling that many users will have to rely on the mobile carriers in order to get critical security updates. The problem reflects a serious weakness in Android's decentralized update model.