Unauthorized appstores up Android risk

Chinese Android users downloading apps from unauthorized online stores pose a significant danger to the open source Google mobile platform, which may in turn affect the Android ecosystem, warns IT security vendor Sophos.

A recent study released by Chinese security vendor NetQin to assess Android attacks, revealed that in the first quarter of 2011, 64 percent of Android users who suffered virus or malware attacks came from China. The United States ranked in second at 7.6 percent, followed by Russia, India and Indonesia which clocked at 6.1 percent, 3.4 percent and 3.2 percent, respectively.

Asked about the study findings, Graham Cluley, senior technology consultant at security vendor Sophos, noted that "white box" phones, or devices that are not tied to a particular carrier, will place security risks on operating systems (OSes) since they do not receive regular OS updates. However, he stressed that downloading apps from unauthorized stores pose a greater risk.

Cluley explained: "Security vulnerabilities are found in Android and [the Apple] iOS, just as they are in desktop OSes, so if users do not receive timely updates there is always the risk that they could be exposed to problems."

NetQin study pointed to white box phones as a main contributing factor to the Android threat landscape in China, alongside app downloads from WAP (Wireless Application Protocol) and Web sites.

The official Android Market is currently unavailable in China, and a number of Chinese carriers, phonemakers and independent companies have opened their own versions of the Android appstore in the domestic market. Some of these include Gfan and Mumayi.

While there is no shortage of apps targeted at China's Android users, consumers there could put themselves at risk if they downloaded "booby trapped apps", Cluley cautioned.

It is commonly recognized that apps are made available on these app stores without much scrutiny, thereby, increasing the risk of infecting smartphones.

Cluley said: "[The] Android [community] prides itself on being a more open, free-and-easy, operating system than iPhone iOS but as a result, it can also be easier for users to put themselves and their data in danger."

To reduce potential risks, the Sophos executive suggested that telcos in China offer an "alternative destination" for users to download apps and provide proper monitoring that will hopefully keep out malware and viruses.

Some of the top Android mobile threats outlined by the NetQin survey include malicious fee deduction, privacy theft and backdoor attacks, with OS-disrupting malware accounting for only 1 percent of overall attacks. Phones which bore the brunt of security attacks ran Froyo, Android versions 2.2, 2.1 and 2.3.

The report also pointed to the acquisition of root access and embedding of malware as contributing factors to Android's vulnerability.

While the Google mobile OS may be the subject of security attacks, Cluley noted that it is unlikely to "get as bad as the Windows desktop problem".

However, he underscored the need to beef up protection on the mobile platform. "Criminals will continue to target those sectors where they believe they can make money, especially if the users are not properly defending their data," he said.

He believes consumers ultimately must assume the role of protecting the device, just as it is their responsibility to secure their desktop or laptop, rather than the manufacturer's. "However, telcos and manufacturers do share some responsibilities, too, including the development and distribution of OS updates."

Android's "open-garden" approach has often been described by security watchers as a security risk to users who may unwittingly download unstable apps on their phones, and open the door for hackers to write malicious codes. Earlier this month, over 25 apps identified to contain malware were removed from Android Market. This followed a similar move in March which saw 58 malicious apps stripped from the Android appstore as well as remotely removed from devices they had been downloaded into.