1. We removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.
2. We are remotely removing the malicious applications from affected devices. This remote application removal feature is one of many security controls the Android team can use to help protect users from malicious applications.
3. We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices. If your device has been affected, you will receive an email from firstname.lastname@example.org over the next 72 hours. You will also receive a notification on your device that "Android Market Security Tool March 2011" has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email.
4. We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues.
Where to start. Well, first it's great that Google has removed the malicious apps., but really wouldn't it have been better to do minimal checking on software before letting it on Android Market? I'm not asking for much here. I'd just like to know that Google has made sure that I'm not downloading malware from the official store.
Moving on, I'm of two minds about the remote application removal feature. Yes, I know many users are idiots and don't know the first thing about security. I get that. But, I'm not crazy about the idea that Google, or anyone else, can reach out and rip software out of one of "my" devices without my say-so. At least Google will be telling users what's going on, so that's something anyway.
If you're going to do that though, why should I need an update to keep the malware from doing anymore harm? Since Google is going to rip out the rotten programs anyway, wouldn't it better to just get it over with rather than just block its functionality?
Or, here's an idea. This malware only worked on versions of Android that were 2.2.2 or lower. So, how about making almost every Android user in the world happy---not to mention developers-and get the phone original equipment manufacturers (OEMs)--to update all their Android devices to 2.3, the latest major version? Sure, some phones using say Android 1.6 may not be able to handle it, but I'll bet most smartphones would do better with 2.3, not to mention being safer.
It's good that Google is making moves to prevent this kind of thing from happening in the future. I, for one, though would like to know more about it. It's nice to hear Google say that it and its partners are going to take action, but I want to know some details.
So what you do in the meantime to make sure your Android device is safe? Well, just like with your Windows PC, you pretty much have to install anti-virus (A/V) software.
There's a host of Android A/V programs on their way. The ones I recommend today are AVG's AntiVirus and Lookout Mobile Security. In addition to A/V defenses, both programs feature handy utilities to help find your phone if it goes missing and ways to keep a thief from stealing your information even if they get your phone. Regardless of what Google does, I highly recommend getting one of these two programs.