Malware

Has the Time Come for an Android Market Drug Test?

Android apps are becoming more popular as the Android operating system gains ground in the mobile market.

IDC expects Android to take more than 40 percent of the worldwide smartphone market in the second half of 2011.

However, with Android’s growing popularity comes a growing risk of malware attacks.

Malware has hit apps in the Android Market on at least two notable occasions this year, in March and then in early June, forcing Google to pull about 75 tainted apps in all.

Improper coding also affects users of Android apps. Motorola CEO Sanjay Jha has commented, in essence, that bad apps are behind 70 percent of the returns of Motorola’s Android devices.

Google’s open approach to the Android Market plays a part in these problems. Unlike Apple and Microsoft, Google doesn’t test or pre-vet apps submitted to its apps market.

Is it time Google clamped down and began testing Android apps before letting them into the Android Market?

Google’s Malware Problems

There are about 300,000 apps in the Android Market, and this number is expected to hit 425,000 by the end of August, Research 2 Guidance has predicted.

Meanwhile, In-Stat’s research shows that Android and Apple users are “significantly more likely” than BlackBerry users to download mobile apps.

The two malware attacks that hit Android apps this year used variants of the same code. Lookout Mobile Security, which discovered the attacks, christened the malware “DroidDream.”

It’s not clear exactly how many people were impacted in all, but Lookout Mobile estimates the June attack ht between 30,000 and 120,000 victims.

Sink, Swim or Go With the Flow

“The ubiquity of Android and its flexibility creates a real systemic risk if it’s not managed with care,” Tom Kellerman, chief technology officer at AirPatrol, told TechNewsWorld.

Android “has a very innovative model and takes extensive measures to make the system secure and control access to private information,” said Alicia diVittorio, a spokesperson for Lookout Mobile Security.

While both Apple’s iOS and Google’s Android platforms “have a level of systemic risk, Google has opted for an open model to give users more choice, and with more choice comes more responsibility,” diVittorio told TechNewsWorld.

Where Does the Buck Stop?

Google’s response to both DroidDream attacks was to pull the infected apps from the market.

Should it have taken a more proactive approach, possibly by having apps pre-vetted? Perhaps that approach could have prevented some bad apps from reaching phones, but no net is 100 percent effective.

“There is no authority on the Internet that keeps users from downloading malicious applications from any source,” Stephen Gates, director of field engineering at Top Layer, told TechNewsWorld.

“So why should we blame Google if we download a malicious app onto our Droid smartphone?” Gates asked.

User responsibility is a major factor in security, suggested Fred Touchette, a senior security analyst at AppRiver.

The Path of the Righteous

“Human nature is typically the weakest link in security,” Touchette pointed out. “Many of the dangers surrounding malicious apps could be avoided with more scrutiny of apps from the start.”

For example, many of the apps in the most recent Android malware attack had lurid names such as “Hilton Sex Sound” and “Hot Sexy Videos,” Touchette told TechNewsWorld.

“Those erring on the side of caution would most likely have been kept safe from falling prey to these malicious downloads,” Touchette said.

There’s No Way to Delay That Trouble Comin’ Every Day

The risk posed by Android apps is poised to spread to fields other than mobile devices.

Several companies have begun making Google TVs, which run Android apps.

A company by the name of Blue Stacks recently announced technology that will let users seamlessly run Android apps on their x86-based Windows devices.

That might open up a whole new world of hurt to Windows device owners.

Bluestacks decline to comment when approached.

Openness Can Be a Good Thing

So should Google pre-vet apps?

The number of apps on the Android Market is staggering, and the cost of vetting the existing ones and pre-vetting incoming apps would be “astronomical,” Top Layer’s Gates pointed out.

Further, false positives — where a good app mistakenly tests as a bad one — would be a real issue.

“You would literally have to charge either the downloader or the writer of the app, making every application more expensive,” Gates said.

That proposition could run into a major obstacle — namely that few people are making money developing Android apps, as the major of Android device users seem to prefer free apps.

“Pre-vetting apps would take away some of the appeal of Android’s open source platform, but it would increase security since it’s this very open source platform that’s the basis of Android’s vulnerability,” AppRiver’s Touchette stated.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels