On Thursday Google revealed a new security feature for the Android Market store that's designed to protect Android users from malware. But does the service go far enough?The new service, called 'Bouncer,' is designed to quietly and automatically scan the entire Android Market (and all new apps uploaded) for malware.
Hiroshi Lockheimer, VP of engineering for Android, explains how it works:
The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.
Lockheimer also revealed that this service has already been operational 'for a while now' and that between the first and second halves of 2011 Google saw a 40% decrease in the number of potentially-malicious downloads from Android Market.
But is this enough? BitDefender's chief threat researcher Catalin Cosoi doesn't think so, and believes that malware writers will find a way to circumvent the screening mechanism:
Also, based on our experience with malware analysis, malware writers will seek a way around security. For instance, in the PC malware world, we use virtual machines to analyse behavior of different samples we discover. Obviously, in time, malware writers added different routines to detect if the virus runs in a real computer or in a virtual environment, and they modified their software to act legit when running in a control environment. We might see the same phenomenon here, as Bouncer is a service that will emulate all apps uploaded on the Android Market. Not to mention that the Android API offers the possibility to detect if the app runs in an emulator or directly on the devices. So there is a high chance that we’ll see apps behaving correctly when used on a simulator and turning malicious when used on the mobile device.
Another more immediate problem with 'Bouncer' is that the service doesn't scan for what's known as 'greyware,' a category that includes things such as spyware, adware, and aggressive ad platforms. This stuff isn't technically malware, but it's also not desirable to have it installed on your handset either (it's annoying and can suck bandwidth).
I see 'Bouncer' as a small step in the right direction. Google could (and in my opinion, should) do more to protect Android users from the ever increasing number of threats that they face.