From the blog article:
"The only reason we have so much malware on Android is that Google doesn?t do basic security checking.
More than a few Android-based device mfrs and carriers have failed to provide their users with timely firmware updates. Meaning that a subset of their customers are running Android versions on their mobile devices with known vulnerabilities. If Android's popularity continues to grow, these vulnerabilities will not be ignored by the malware miscreants and exploits will be crafted just like on Windows.
Google and it's OHA partners need to fix this too.
Come on! I like a lot of what Google does, but its refusal to keep malware-laden apps out of the Android Market is inexcusable.
Just today, researchers at Lookout Mobile Security spotted more variants of DroidDream malware in the Android Market. On the same day, Fortinet spotted the Zeus banking Trojan in Android.
It’s not that Android is uniquely vulnerable to malware. It’s not. In fact, Android, which is based on Linux, has not only the Linux operating system’s higher than usual resistance to attack; it also has the advantage of running applications in a Java-like virtual machine (VM), Dalvik. What all that means is that malware should actually have a great deal of trouble running on any Android device, and even if it does get on one, it should be locked in the VM where it can’t harm any other applications.
So why, does security firm Trusteer CEO Mickey Boodaei claim that mobile malware will affect more than one in twenty devices within the next two years? And, specifically that “Compared to Apple’s App Store, Android Market is the Wild West. You can’t always trust applications you download from it.”
I’ll tell you why: Because Google doesn’t do an adequate job of checking programs registered for the Android Market for hostile intent and poisoned payloads before letting the public at them. When you download a malicious program, it’s going to nasty things to you. It’s that simple.
It seems like all a hacker needs to do is submit their attack program to Google for the Android Market and it gets approved. What’s that all about? You, and not Google, get to do the security and beta testing. This is insane.
The only reason we have so much malware on Android is that Google doesn’t do basic security checking. I’m not asking for much Google. Just run the applications on some test devices, see what they do, see if they grab resources and information they shouldn’t be grabbing. This isn’t rocket science. This is basic quality-assurance.
As it is, you need to report bad applications using the poorly named Report Inappropriate Apps page to Google. Even once bad applications are out in the wild, Google doesn’t seem to do a good job of tracking them down.
My job includes checking out programs for mistakes. Your job probably doesn’t. Your life certainly doesn’t. Security 101 is Google’s job, not ours.
When you download an application from Google, you should be reasonably certain that it will do what it says it will and that it won’t try to damage your system or steal your credit-card number. Is that too much to ask for Google? I don’t think so. I really don’t.
Related Stories:
Google Android Market malware problem escalates
Google overhauls Android Market for smartphones, adds bookstore
Report: Mobile malware to affect more than 1 in 20 devices within 12 to 24 months
