Google needs to clean up its Android Market malware mess

Google needs to clean up its Android Market malware mess

Summary: Enough is enough! Google clean up your Android Market malware mess now!

SHARE:
41

Come on! I like a lot of what Google does, but its refusal to keep malware-laden apps out of the Android Market is inexcusable.

Just today, researchers at Lookout Mobile Security spotted more variants of DroidDream malware in the Android Market. On the same day, Fortinet spotted the Zeus banking Trojan in Android.

It's not that Android is uniquely vulnerable to malware. It's not. In fact, Android, which is based on Linux, has not only the Linux operating system's higher than usual resistance to attack; it also has the advantage of running applications in a Java-like virtual machine (VM), Dalvik. What all that means is that malware should actually have a great deal of trouble running on any Android device, and even if it does get on one, it should be locked in the VM where it can't harm any other applications.

So why, does security firm Trusteer CEO Mickey Boodaei claim that mobile malware will affect more than one in twenty devices within the next two years? And, specifically that "Compared to Apple's App Store, Android Market is the Wild West. You can't always trust applications you download from it."

I'll tell you why: Because Google doesn't do an adequate job of checking programs registered for the Android Market for hostile intent and poisoned payloads before letting the public at them. When you download a malicious program, it's going to nasty things to you. It's that simple.

It seems like all a hacker needs to do is submit their attack program to Google for the Android Market and it gets approved. What's that all about? You, and not Google, get to do the security and beta testing. This is insane.

The only reason we have so much malware on Android is that Google doesn't do basic security checking. I'm not asking for much Google. Just run the applications on some test devices, see what they do, see if they grab resources and information they shouldn't be grabbing. This isn't rocket science. This is basic quality-assurance.

As it is, you need to report bad applications using the poorly named Report Inappropriate Apps page to Google. Even once bad applications are out in the wild, Google doesn't seem to do a good job of tracking them down.

My job includes checking out programs for mistakes. Your job probably doesn't. Your life certainly doesn't. Security 101 is Google's job, not ours.

When you download an application from Google, you should be reasonably certain that it will do what it says it will and that it won't try to damage your system or steal your credit-card number. Is that too much to ask for Google? I don't think so. I really don't.

Related Stories:

Google Android Market malware problem escalates

Google overhauls Android Market for smartphones, adds bookstore

Report: Mobile malware to affect more than 1 in 20 devices within 12 to 24 months

Five reasons Android can fail

Android becomes second most popular malware haven in Q1

Topics: Malware, Android, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • Add a bit of luck too

    From the blog article:
    "The only reason we have so much malware on Android is that Google doesn?t do basic security checking.

    More than a few Android-based device mfrs and carriers have failed to provide their users with timely firmware updates. Meaning that a subset of their customers are running Android versions on their mobile devices with known vulnerabilities. If Android's popularity continues to grow, these vulnerabilities will not be ignored by the malware miscreants and exploits will be crafted just like on Windows.

    Google and it's OHA partners need to fix this too.
    Rabid Howler Monkey
    • The android app permission system is flawless.

      @Rabid Howler Monkey<br><br>The only way to get malware on your android phone is to not pay attention. This has nothing to do with delayed updates.<br><br>I'm getting a bit tired of all of this. So far no program has managed to install itself on your phone. If you install from the market you can be 99% sure that it is not malware. If you look at the rating and comments before you download you can be 99.9% sure. If you check the permissions the app needs you can be 100% sure.<br><br>I have 200+ apps and no malware. Its all about installing apps using your brain. FYI I also download apps from outside the market, to be able to do this you need to vink this option in the settings first. Before you install ANY app, you will have a screen with the permissions the app wants/needs. There are even (free) programs that can revoke permissions from any app. (facebook can't read my texts messages for instance)<br><br>@Steven J. Vaughan-Nichols<br>"When you download an application from Google, you should be reasonably certain that it will do what it says it will and that it wont try to damage your system or steal your credit-card number. Is that too much to ask for Google? I dont think so. I really dont."<br><br>You are certain, since you can see what kind of permissions it needs. "THINK MCFLY THINK" *poking your head*<br><br>if you install a game that wants access to your google account, either revoke the access of dont install it. Simple as that. <br><br>Its not like we have infected pfds messing with our phones <img border="0" src="http://www.cnet.com/i/mb/emoticons/silly.gif" alt="silly"><br><br>EDIT: The average time an infected app is on the market is less than one and a half day. Good journalism. Perhaps try to figure out what an OPEN market means. Google however, is making sure that those apps get removed from the market. Do some research next time instead of raging senseless over some gossip you read at some blog.

      Enough is enough! sjvn needs to try real journalism! (see what I just did there?)
      S. DeGarnd
      • RE: Google needs to clean up its Android Market malware mess

        @S. DeGarnd

        Customers using older versions of Android-based devices with known vulnerabilities is well documented. Just because the malware miscreants have not yet taken advantage of these vulnerabilities to craft exploits is beside the point. It's an accident waiting to happen. Enough on the fabled invulnerability of Android or, more generally, Linux.

        As far as the Android Market goes, your points on conducting a bit of research before installing an app and being aware of the permissions that an app requests, whether during or after the install, are well taken. However, users have a right to assume that apps available in Google's Android Market are free of malware. Google does not need to censor its apps as does Apple for their app store. They just need to vet the apps from a malware perspective. Another positive benefit of Google vetting apps would be that sloppy Android app devs would pay more attention to the permissions their apps request during installation and not request unneeded permissions.

        Outside the Android Market? Let the buyer beware. Your points are dead on. And kudos to Google for constructing Android in such a manner that users can view an apps permissions and either abort an install or remove an app after the install.
        Rabid Howler Monkey
      • RE: Google needs to clean up its Android Market malware mess

        @S. DeGarnd They say that denial is the first step to admitting there is an problem. You act exactly like the Mac fanboys when they were first confronted by proof that Mac Defender did in fact affect the Mac platform and allowed the unwary to infest their Macs with malware.

        The reason this keeps popping up - and from the SJVN of all people - is because this IS an issue. And the Android App permission system is hardly flawless.
        athynz
  • Good luck with that

    Android isn't Google's primary concern. As such, the service will suffer.

    With Google branching out into every single freakin territory you can in the tech world, the supply lines will get thinner, and thinner, therefore diminishing what the comapny can do in a respectable amount of time.

    Think of Nazi Germany and it's attack on the Soviet Union.
    The one and only, Cylon Centurion
    • RE: Google needs to clean up its Android Market malware mess

      @Cylon Centurion
      You are comparing competition with Nazi attacks? What do you do, work for MS?
      anono
      • RE: Google needs to clean up its Android Market malware mess

        @anono

        Yes/No. I'm simply saying Google could be spreading their resources too thin. Google seems to want to be in everyone's business, but doesn't seem all that interested in "keeping up with the Jones'"
        The one and only, Cylon Centurion
      • Do you have another analogy that works better?

        @anono
        Just saying.
        William Pharaoh
    • RE: Google needs to clean up its Android Market malware mess

      @Cylon Centurion Not true at all, you see Google actually hired a bunch of people even though they knew their stock would take a hit for it... If anything they're a tech talent vacuum!
      slickjim
      • RE: Google needs to clean up its Android Market malware mess

        @Peter Perry

        Yes, but at the same time, Google is seeing most of that talent go elsewhere.

        h t t p : / / articles.cnn.com/2010-12-24/tech/ex.google.employees_1_google-chrome-user-data-target-ads?_s=PM:TECH
        The one and only, Cylon Centurion
  • RE: Google needs to clean up its Android Market malware mess

    Wow... Another reason I am happy to have chosen the iOS world.

    Don't get me wrong, I have used an Android phone for a couple weeks and it is a quality device... but if security is that lax in the store that should be trusted to get apps on your device, There is no way I want to be a user of that device OS.
    Geuseppi
  • Clearly google doesnt care. They should but they dont

    How short sighted is that? Unless there's some longer term internal strategy to replace android with chrome on smartphones as well...
    Johnny Vegas
  • RE: Google needs to clean up its Android Market malware mess

    Remember they are building Android out of the kindness of their hearts (its open source). It is very rude of you to look a gift horse in the mouth.
    nanderto
    • RE: Google needs to clean up its Android Market malware mess

      @nanderto Put down the kool aid. Google does NOTHING without thinking of making cash off of it... nothing. And Android being open source right now is a bit up in the air with Android 3x as they have not released the source code to the wild. Kinda hard to be open source without making the source code open.
      athynz
      • RE: Google needs to clean up its Android Market malware mess

        @athynz
        I actually wish Google would follow a strategy where they open source 3.x only after releasing 4.x and then open source 4.x after releasing 5.x. I think it would be good for consumers because if Google decided to screw with us then any other company can simply carry on development without Google and just be only one generation behind. Also, manufacturers hopefully can't integrate their crap as well if they want the latest version of the OS.
        anono
      • RE: Google needs to clean up its Android Market malware mess

        @athynz 3.2 is rolling to devices right now and I honestly think after that rolls out they will release the source code. I believe there are features they wanted to implement before putting the code out and having others creating forked feature sets the way they did with copy and paste.
        slickjim
  • RE: Google needs to clean up its Android Market malware mess

    Although this issue needs to be fixed, tech smarts should still apply. A quick check of what permissions an app requests which all apps state should be reviewed to see if they are relavent to the app I.e. wallpaper requiring phone call logs and internet access. (Kinda like blaming windows because you're looking at shady websites)
    whitey725
  • RE: Google needs to clean up its Android Market malware mess

    There are two assumptions that are wrong. Linux is no better than any other 20C OS for security and a virtual machine can have even more holes - witness Java trying to patch its bugs every week.

    In the end, Android is just another simple OS with multiple versions deveoped by an advertising company - I'd start worrying if I had an Android phone ;-)
    tonymcs@...
    • RE: Google needs to clean up its Android Market malware mess

      @tonymcs@...
      You'd worry even more if Ballmer wasn't there to tell you what to use.
      anono
      • RE: Google needs to clean up its Android Market malware mess

        @anono +1
        T-Wrench