Google needs to clean up its Android Market malware mess

Enough is enough! Google clean up your Android Market malware mess now!
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Come on! I like a lot of what Google does, but its refusal to keep malware-laden apps out of the Android Market is inexcusable.

Just today, researchers at Lookout Mobile Security spotted more variants of DroidDream malware in the Android Market. On the same day, Fortinet spotted the Zeus banking Trojan in Android.

It's not that Android is uniquely vulnerable to malware. It's not. In fact, Android, which is based on Linux, has not only the Linux operating system's higher than usual resistance to attack; it also has the advantage of running applications in a Java-like virtual machine (VM), Dalvik. What all that means is that malware should actually have a great deal of trouble running on any Android device, and even if it does get on one, it should be locked in the VM where it can't harm any other applications.

So why, does security firm Trusteer CEO Mickey Boodaei claim that mobile malware will affect more than one in twenty devices within the next two years? And, specifically that "Compared to Apple's App Store, Android Market is the Wild West. You can't always trust applications you download from it."

I'll tell you why: Because Google doesn't do an adequate job of checking programs registered for the Android Market for hostile intent and poisoned payloads before letting the public at them. When you download a malicious program, it's going to nasty things to you. It's that simple.

It seems like all a hacker needs to do is submit their attack program to Google for the Android Market and it gets approved. What's that all about? You, and not Google, get to do the security and beta testing. This is insane.

The only reason we have so much malware on Android is that Google doesn't do basic security checking. I'm not asking for much Google. Just run the applications on some test devices, see what they do, see if they grab resources and information they shouldn't be grabbing. This isn't rocket science. This is basic quality-assurance.

As it is, you need to report bad applications using the poorly named Report Inappropriate Apps page to Google. Even once bad applications are out in the wild, Google doesn't seem to do a good job of tracking them down.

My job includes checking out programs for mistakes. Your job probably doesn't. Your life certainly doesn't. Security 101 is Google's job, not ours.

When you download an application from Google, you should be reasonably certain that it will do what it says it will and that it won't try to damage your system or steal your credit-card number. Is that too much to ask for Google? I don't think so. I really don't.

Related Stories:

Google Android Market malware problem escalates

Google overhauls Android Market for smartphones, adds bookstore

Report: Mobile malware to affect more than 1 in 20 devices within 12 to 24 months

Five reasons Android can fail

Android becomes second most popular malware haven in Q1

Editorial standards