Google kind of, sort of, addresses Android Malware

Google kind of, sort of, addresses Android Malware

Summary: The good news is that Google has, sort of, addressed the recent Android security problems. The bad news is it's a long way from being a real fix.

SHARE:

I prefer Google's Android over Apple's iOS for smartphones. I'll take my Droid 2 over an iPhone 4, even though my carrier Verizon, now supports the iPhone. But, if Google can't do better with its malware mess, I may be forced to change my mind.

First, the good news. On Saturday, Google's Rich Cannings, the Android Security Lead, announced that:

1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.

2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.

3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from android-market-support@google.com over the next 72 hours. You will also receive a notification on your device that "Android Market Security Tool March 2011" has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.

4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.

Where to start. Well, first it's great that Google has removed the malicious apps., but really wouldn't it have been better to do minimal checking on software before letting it on Android Market? I'm not asking for much here. I'd just like to know that Google has made sure that I'm not downloading malware from the official store.

Moving on, I'm of two minds about the remote application removal feature. Yes, I know many users are idiots and don't know the first thing about security. I get that. But, I'm not crazy about the idea that Google, or anyone else, can reach out and rip software out of one of "my" devices without my say-so. At least Google will be telling users what's going on, so that's something anyway.

If you're going to do that though, why should I need an update to keep the malware from doing anymore harm? Since Google is going to rip out the rotten programs anyway, wouldn't it better to just get it over with rather than just block its functionality?

Or, here's an idea. This malware only worked on versions of Android that were 2.2.2 or lower. So, how about making almost every Android user in the world happy---not to mention developers-and get the phone original equipment manufacturers (OEMs)--to update all their Android devices to 2.3, the latest major version? Sure, some phones using say Android 1.6 may not be able to handle it, but I'll bet most smartphones would do better with 2.3, not to mention being safer.

It's good that Google is making moves to prevent this kind of thing from happening in the future. I, for one, though would like to know more about it. It's nice to hear Google say that it and its partners are going to take action, but I want to know some details.

So what you do in the meantime to make sure your Android device is safe? Well, just like with your Windows PC, you pretty much have to install anti-virus (A/V) software.

There's a host of Android A/V programs on their way. The ones I recommend today are AVG's AntiVirus and Lookout Mobile Security. In addition to A/V defenses, both programs feature handy utilities to help find your phone if it goes missing and ways to keep a thief from stealing your information even if they get your phone. Regardless of what Google does, I highly recommend getting one of these two programs.

Topics: Android, Google, Hardware, Malware, Mobile OS, Mobility, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

62 comments
Log in or register to join the discussion
  • Yuck.

    This is EXACTLY why I prefer iOS over Android. The idea that I have to install AntiVirus software on a resource stretched device like a phone (or tablet) is an anathema to most users. What on earth is that going to do to battery life? How often now would that phone in my pocket be a non-functioning brick with a flat battery? How effective will AntiVirus software for Android actually be? The track record of these AntiVirus products on Windows is hardly good.

    No, this isn't what I want from a phone. I want to know if I need to call someone the thing will actually function, I don't want to have to reboot it for "updates" and wait while virus signatures are downloaded, or worse, take it to a wall outlet to charge it.

    Seems this "smartphone" isn't very smart at all.
    jeremychappell
    • open

      @jeremychappell
      and yet the "open" fanatics still think open is a good thing. but suddenly the phony open vs. closed propaganda can't spin the ugly truth: android is open, as in open target.
      banned from zdnet
      • RE: Google kind of, sort of, addresses Android Malware

        @banned from zdnet

        And how did the "open" part of Android cause this? If this was caused by an app coming from a source other than the Google Market, you might be able to tell me that the "openness" of Android caused this. But that is not what happened. It was caused by one dominant market not doing their job. If Apple makes the same mistake (and kudos to them for not making this mistake thus far) not only are iOS users in exactly the same situation Android users find themselves after this fiasco, but they do not even get a chance to choose another market that WILL take better care of them.

        Slam Google all you want for this sloppiness, because they deserve it. But don't tell me that a closed system would have prevented this, because that is completely and utterly false. Due diligence is the reason this has not happened to Apple, and lack of it is why it has happened to Google.
        Michael Kelly
      • RE: Google kind of, sort of, addresses Android Malware

        @Michael Kelly

        Caused might be too strong a word, "facilitated" might be a better one. Google have an "open policy" in their Marketplace; you got an app - you're in. No vetting is done. So you can see this makes adding malware to the Android Marketplace very easy.

        Compare this to Apple's approach. Applications are heavily vetted, checked to see if they crash, if the do what they say (and crucially nothing "extra") and use only Apple's published APIs. Further more applications cannon read each other's files, cannot execute arbitrary background code, must quit at a moments notice to preserve resources. These restrictions make it very difficult to create (effective) malware on iOS. Even plugins are not allowed.

        I'm not saying it is "impossible" to create malware for iOS - but it is a good deal harder.
        jeremychappell
      • RE: Google kind of, sort of, addresses Android Malware

        @Michael Kelly,<br><br>You might want to check this (cough) fact<br>" If this was caused by an app coming from a source other than the Google Market"

        Seems to me there have been issues with both the Official "Google Market" as well as "open" Markets
        YaBaby
      • RE: Google kind of, sort of, addresses Android Malware

        @ Michael Kelly

        Yes and no. Google are of course to blame for the poor quality of the Android Market, and may yet be able to turn it round. At the same time, the incentive structure set up by Google, which is more in line with the open source ideology than the incentive structures set up by Apple or Microsoft, is very relevant to the outcome.

        Google charge a nominal registration fee to developers, but no ongoing developer or app fees. In contrast, Apple and Microsoft charge annual developer fees and collect 30 per cent of app revenues. Microsoft also charge a submission fee for free apps. Moreover, whilst Google give Android away, Apple earn a profit on every iPhone sold, and Microsoft earn a profit on every Windows Phone licence sold.

        Google's model is clearly more in line with the open source ideology, where giving away software is the norm. Indeed, the Android Market is the only one of the three that unambiguously allows developers to offer apps licensed under the GNU GPL. This is combined with Google's standard business model of collecting user information in order to sell advertising services. The economic incentives are thus completely different to Apple's or Microsoft's: advertisers, not users, are Google's customers, and improvements to the OS or the app verification system have no direct positive revenue impact.

        Ultimately, the fact that Android is open source doesn't necessarily imply that the OS and app verification schemes will be of poor quality. However, an incentive structure centred on the idea of giving away software promotes cost minimisation instead of revenue maximisation. There is no direct financial incentive either to improve the OS or to ensure that apps are of high quality. The incentives rather favour software produced as cheaply as possible, provided the quality meets the minimum level needed to retain users, and thus to sell advertising services.
        WilErz
      • RE: Google kind of, sort of, addresses Android Malware

        @jeremychappell

        If you choose to have your phone's potential functionality limited and put your trust in the human element that Apple provides for better or worse, then by all means I will not stop you or try to talk you out of that decision. I will say that the human element that Apple provides does not come without its downfalls, because those humans can make mistakes and can make decisions that are not always based on security issues.

        Personally I think it is worth the small risk involved to go with the open system, knowing I have to be more diligent in what I install, in return for more potential functionality. I also understand that this system will work best when Google has some real market competition to force them take all of their customers' concerns into account, which they do not truly have as yet. So while I feel Android has potential, it is nowhere close to realizing that potential whereas iOS does reach its potential. However Android does get better all the time, and yes while this is a big stumble it is not unfixable. And competition from Amazon will go a long way towards making sure Google takes care of its customers.

        The other big hurdle of course is the OS updates not being available, because this whole thing could have been avoided if customers had easy access to the latest patched OS.
        Michael Kelly
      • RE: Google kind of, sort of, addresses Android Malware

        @WilErz

        You statement makes it look like Open source means shoddy software. Just because Google uses Open Source mechanisms AND happens to be ad-centric in many ways doesn't mean the two are mutually inclusive. I would argue that Open source is monitored for software flaws at least as good os propritatry software due to the many open source users that watch these things, not to mention the many devs that try and avoid creating issues ans who remove them when they appear. Was it right for Google to let any app dev place an app into their store? no absolutely not, but you are not going to tell me that because they don't charge submission fees for free apps and they don't require a yearly subscription to make apps for their store that those were the reasons the malware exists, that is rediculous. The reason is simple and one-sided: Google needs to monitor their app store better, period.
        KBot
      • RE: Google kind of, sort of, addresses Android Malware

        @ KBot<br><br>Open source can be high or low quality, depending on the developers, the development process and the incentives (economic and otherwise). The same applies to closed source. Open source advocates offer all sorts of conjectures about open source supposedly leading to higher quality, but it's all speculation, without any rigour behind it and almost never considers economic incentives. Closed source advocates can offer just as many conjectures about closed source leading to higher quality, and often have the advantage of being able to incorporate economic incentives.<br><br>The question here is, why do Google monitor the Android Market so poorly compared with Apple's monitoring of the App Store or Microsoft's monitoring of the Windows Phone Marketplace? All three are profit maximising firms, so the obvious way to answer the question is to look at economic incentives. You can of course claim that Google employees simply aren't as clever or competent as Apple or Microsoft employees -- that's certainly a possibility -- but then you've got to explain why you think this situation has emerged.<br><br>The advantage of looking at economic incentives is that you don't have to assume things like stupidity and incompetence on the part of Google employees to understand why Google might be operating the way they do. From the developer perspective, the incentive structure of the Android Market promotes submission of as many apps as possible, irrespective of quality (or embedded malware). From Google's perspective, the lack of ongoing developer/submission fees or revenue sharing for apps promotes minimal investment in app vetting.<br><br>Compared with the Android Market, the economic incentive structures of Apple's App Store and Microsoft's Windows Phone Marketplace clearly promote higher app quality. From a developer perspective, the annual fees (combined with submission fees for free apps in the Microsoft case) and the possibility of an app being rejected respectively increase the costs of app development and decrease the potential pay-off of developing a low-quality (or malware) app. From the Apple/Microsoft perspective, revenue sharing promotes a bias towards higher quality apps, which are likely to generate higher revenue.<br><br>The other relevant feature of Android, of course, is its relatively high market share. All else equal, malware authors are going to target the most popular platform, so Android is at a disadvantage there. Nevertheless, Apple's restricted model was much more effective during the period in which iOS was more popular than Android.
        WilErz
      • Nothing to Do With Open Source

        @WilErz
        You make some valid points about the nature of the Google marketplace. However, the marketplace being more "open" has nothing to do with "open source." In fact, to the best of my knowledge, all of the malware infected apps were closed source.

        The choice that Google made about there being a lower bar of entry into the Google Marketplace, thus making it more open, has nothing to do with open source software. Open source advocates like open source and open standards, not 'open security.' Open source has worked well for keeping operating systems like Debian GNU/Linux and OpenBSD secure.
        CFWhitman
      • RE: Google kind of, sort of, addresses Android Malware

        @ CFWhitman

        I'm not arguing that the Android Market attracts low-quality apps and malware because Android is open source. I'm arguing that Google's business model for Android, which is responsible for the poor quality of the Android Market, is a product of the open source mindset that prevails at Google.

        In the context of the behaviour of profit maximising firms, the Android business model and the open source ideology are related. Profit maximising firms that invest in developing open source software do so only because the investment supports other businesses: support, hardware, services, proprietary software stacks that run on top of the open source software, etc. The key here is that software is not viewed as a revenue generating product. This is in sharp contrast to closed source business models, where software is the product.

        Google's business model for Android is virtually free of any attempt to use software (Android itself or Android apps) to generate revenue (for Google). All of the revenue comes from advertising and services, with software development dominated by cost minimisation. Google could certainly have used this business model with a closed source OS too -- that isn't the point. The point is that the mindset which views software as something to give away to support services is common to both the open source ideology (as it relates to profit maximising firms) and to Google's Android business model.
        WilErz
    • RE: Google kind of, sort of, addresses Android Malware

      @jeremychappell this "smartphone" cannot be smarter than the owner, by definition. It is just a piece of silicon after all, so treat it as one.
      pupkin_z
    • RE: Google kind of, sort of, addresses Android Malware

      like google :)
      www.awwgame.com
      lariosshow
    • RE: Google kind of, sort of, addresses Android Malware

      @jeremychappell They have a few competitors who would be interested in destroying their authority.
      <a href="http://www.reverselookupcell.org/">reverse lookup cell</a>
      antony111
  • And if the exploits disable the remote delete.

    This is reason #1 I will take iOS over Android any day of the week. Besides being better with battery and feeling much faster.
    Bruizer
    • RE: Google kind of, sort of, addresses Android Malware

      @Bruizer you would take it because you're in love with Steve Jobs and Anti Android... this has nothing to do with it and your bias was there before this ever became public.
      slickjim
      • RE: Google kind of, sort of, addresses Android Malware

        @Peter Perry In my experience, Android's fanboys seem to have become far more prevalent and annoying than Apple's. Your childish response to Bruizer's post epitomizes this phenomenon.
        titaniumdecoy
      • I am against a geek OS for mass adoption.

        @Peter Perry <br><br>You don't remember [Win95] and Win98 do you?<br><br>It is that simple. I have no issue being a product when using Google Maps/Earth because it is a great service. Google has a great search engine that I use over 60% of the time.<br><br>But I have already had friends start to think I will provide unlimited support for them when they can't figure out or mess up their android handset (does not seem to happen with iOS handsets).<br><br>When I suggest they move to WebOS, RIM, WP7 or iOS because they are better suited to most people, I get this "But I need Flash" (They don't know why they need Flash but they had a friend tell them that. Funny thing was, only 2 of them actually had Flash and the other dozen didn't and thought they did), <br><br>"But I need an open system so I can do things" (They never know what it needs to do but a friend told them they needed that), <br><br>"But Android has true multi-tasking" (Then never know what that allows for them and can't demonstrate one instance where it adds any functionality for them but they had a friend tell them they needed that). <br><br>"But Android provides better upgrade abilities and Apple makes you buy a new units to upgrade" (I ask if they can upgrade their RAM? They don't think so. How about the screen? No. How about the processor? No. Then you are running Android 2.3? We check? It is 2.1 or 1.6 or 2.2.1. But they can root it. So much for upgrades; they can't even keep a base Android handset running reliably and now they are going to "root it").<br><br>So yes, the geek community, like you, happily makes things up and out right lies because they hate all things Apple. They parrot things like "open" and "freedom" not knowing that this applies to the carriers more than it does the end user (also known as the product). They also don't understand that most users are crazy and will download "Hilton Sex Sounds" because it is on the Market Place so therefore safe.<br><br>So yes, Android is an amazing geek OS. The Atrix, while slightly flawed in implementation, was one of the coolest things I saw at CES this year. In many ways, the Atrix is today where I think 90% of phones will be in 3 years. As Android is currently run, however, it is a horrid solution for the mass consumer market.
        Bruizer
      • RE: Google kind of, sort of, addresses Android Malware

        @Peter Perry You ARE a troll... seriously you still sit here and call people out for preferring iOS and refuse to recognize the rampant issues with Android.
        athynz
      • RE: Google kind of, sort of, addresses Android Malware

        @Titaniumdecoy....can't agree with you more.
        johnsuarez10