Despite revelations that more malicious apps had appeared on its Android Market, Google is sticking to its original developer agreement framework which does not entail vetting apps before publishing them. An analyst called on it to provide a better app download approval system to mitigate risks of its open app ecosystem, though.
It was reported earlier that Google had pulled 58 malicious apps out of its Android Market, but not before they were downloaded by about 260,000 devices. The company said it had remote killed the apps in all these devices and, though malicious, only device-specific information such as a phone's IMEI number was compromised. No personal data or account information was leaked. The apps targeted known vulnerabilities existing in devices installed with Android 2.2.1 or older, the report noted.
Despite the attack, Google told ZDNet Asia via e-mail that it had no plans to pre-screen apps before publishing it on Android Market and will be sticking to its original Developer Distribution Agreement guidelines. It also said the faulty security patch, which caused the malicious apps incident, had been fixed in versions 2.2.2 onward.
Myla Pilao, director of core technology marketing at Trend Micro, said that, ultimately, the incident was "not that serious".
"With an open ecosystem, Android offers a less restrictive platform that has the potential to publish innovative apps to the market faster. Applying restrictions in app publishing will defeat the open ecosystem Android is trying to achieve. Every system has its risks and benefits," she commented in an e-mail.
That said, the recent wave of Android Trojans signifies the cybercriminals are now recognizing the potential of Android phones as targets, Pilao added.
Some of these Trojans include ANDROIDOS_ DROIDSMS.A, which was disguised as a Windows Media Player and used to send text messages to premium mobile numbers, while Tap Snake was programmed to send a user's GPS location to a remote controller. This allows the controller to monitor the whereabouts of the infected user's device.
Permission-based approval process
To counter these risks, Canalys principal analyst Daryl Chiam suggested that Google could strengthen its approval process, depending on the apps' need for user data access.
"Apps that only require basic level of access such as location can be approved quickly. For those that need access into phone user data and address book, will need from scrutiny before making them available on Market," he suggested in a phone interview.
Pilao, however, thought the current explicit "permission" system, which lists the information the app will need to access before users download an app, allows Android to fulfill its responsibility toward users.
"This way, the users will not only have an idea on what the app does, but they can also have an idea on what it shouldn't do. The user can then decide based on the permissions to install the app or not," she noted.
Users, developers responsible too
Google is not resting on its laurels though, calling on developers to be responsible merchants to their customers. It said: "On all computing devices, users necessarily entrust at least some of their information to the developer of the application they're using. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer."
"If users believe an application is harmful or inappropriate, they can flag it, give it a low rating, leave a detailed comment, and of course, remove it from their device. Applications deemed to be in violation of our policies are removed from Market. Abusive developers can also be blocked from using the Android Market for repeated or egregious violations of our policies," the spokesperson commented.
Of these efforts, Chiam said that Google can do more to raise user awareness. But phone owners, too, have to take initiative to learn more about an app before downloading it, he added.
He and Pilao stressed that reading "as much information as they can" about a specific application before installing it is recommended and users should take note of the application permissions to check if the application will access only the information needed to carry out its functions.
"If it's a chess game that you play against the computer, there's no reason for it to access your address book. Similarly, it if is a weather app, then the location may be all that it requires," the Canalys analyst said.
"Downloading applications from the official Google Android Market only can definitely help filter out possibly malicious applications. Having a mobile security suite installed will protect users from threats that may arrive through different vectors," Pilao added.