Google removed a slew of apps containing malware from the Android Market on Tuesday.
At least 21 of the tainted apps appear to have come from publisher called “Myournet,” which copied apps developed by others and modified them to include a Trojan horse before re-uploading them, according to an Android Police blog post by Aaron Gingrich.
Before their removal, the apps garnered between 50,000 and 200,000 downloads. The apps caused the phone to perform functions without the owner’s consent. The Trojan embedded in them used a root exploit to access all of the phone’s data and download malicious code.
The publisher has been removed from the Android Market completely, and its apps reportedly have been deleted from phones, but this won’t remove code that has been back-doored into a phone’s program. Google reportedly is working on that problem.
Android Police learned of the apps from a Reddit user and then contacted Google, which removed the apps within five minutes, Gingrich said in his post. However, Google reportedly did not respond to a developer who was attempting to alert it to the problem for more than a week.
Google was not able to provide specific comments by press time, but spokesperson Jay Nancarrow told the E-Commerce Times the company is still looking into the malware matter.
Open for Good and Bad
The open Android ecosystem allows more freedom for developers, but it can also be less safe for users.
“An open platform ecosystem such as Android offers lots of positives for device vendors, operators, developers and consumers, but comes with a caveat of unregulated third-party applications, which has let different malware easily creep into the Android devices,” said Neil Shah, analyst for wireless devices strategies at Strategy Analytics.
“It has been a bottom-up approach, where affected users report to Google and wait for Google to take necessary actions,” Shah told the E-Commerce Times. “With some notable exceptions, Google might sweep out a number of malicious apps together in a burst mode.”
Help is not necessarily on the way.
“The situation can get worse as the Android ecosystem fragments with multiple devices, multiple vendors, multiple operators and, especially, multiple Android marketplaces,” said Shah.
“The security control could become difficult as the number of third-party Android apps grows exponentially,” he noted. “In comparison, Apple’s walled-garden approach is somewhat robust with just one controlled marketplace. Apple has put in resources to check and filter every app before it enters Apple’s App Store.”
Even with its security processes, Apple is still vulnerable to malware.
“Apple’s tight approach doesn’t necessarily guarantee security from the sea of third-party apps,” said Shah. “There have been instances where a bunch of third-party apps on the App Store have been quarantined after reported security threats, and higher threats loom for the jailbroken devices.”
Google Security Not Ready for the Enterprise Market
Despite the challenges, Google could take steps to heighten the Android Market’s security.
“Google has a good opportunity to earn the consumer mindshare with timely and proactively monitoring of the third-party apps,”said Shah. “Google could provide an Android security app or even partner with leading security providers such as Symantec to cordon off these malicious apps.”
This will be especially important if Google has ambitions to push Android into the enterprise space, he continued. “Handset vendors or carriers can bundle a security solution along with the Android device.”
Security updates and notifications could also help Android users.
“Google could push out regular security updates bundled with the platform software updates and enhance the security of its devices,” said Shah. “Google could also come out with a better notification system if the personal information on a smartphone is being compromised — and also make efforts in educating its users on either using certified-marketplaces and apps or a third- party security solution.”
Android Wears a Bulls-Eye
As Android OS smartphones and tablets gain popularity, they become bigger targets for hackers.
“This further highlights that smartphones and tablets, running Android in particular, are not immune from rogue developers and hackers,” Chris Hazelton, research director for mobile and wireless at the 451 Group, told the E-Commerce Times. “As these devices take on a greater share of computing, they will also gain more attention from criminals.”
Google’s five-minute malware deletion demonstrates Google’s security chops once a problem is revealed. The security front end, however, needs attention.
“The actions taken by Google to quickly — once identified — remove the apps listed in Android Market and remotely wipe these apps from users’ devices shows that Google does have substantial security tools,” said Hazelton. “That said, there is a significant gap in Google’s security model in allowing published apps to be re-posted to Android Market by another developer after bundling in malicious code.”
While Google doesn’t need to add barriers to its open model, in Hazelton’s view, the Android security system clearly needs work.
“Android Market benefits from the open nature of Google’s approval process, but this model needs to be fine-tuned a bit to prevent published applications from being repackaged with malware,” he said. “Google does not need to emulate Apple’s app approval process, but it should move closer to a more activist role in cleaning up Android Market.”