Android Market free-for-all blamed for malware avalanche Android mobile malware samples have increased more than five-fold since July alone, according to a study by Juniper Networks. The ability of anyone to develop and publish an application to the Android Market – in contrast to the more restrictive model applied by Apple for iOS – is at least partly to blame for the huge increase …
1) While occasionally malware has made it into the Android Market, the vast majority of such malware comes from alternate markets and stand-alone APK files distributed by various Web sites.
2) If malware has been installed on the user's phone from the Android Market, Google has the capability to remove it from there without requiring the consent of the said user. Remove it from the user's phone, I mean - not just from the Android Market. However, this capability is not present, if the malware has been installed from alternate sources.
3) Lookout is exaggerating a bit, IMHO. The known variants of Android malware are about half of what they state. 400+ - not 1000.
4) It is most definitely not true that the Android applications store model "lacks signing". Just the opposite - every app must be signed, or it cannot be installed on a non-rooted device. The problems are elsewhere: (a) the apps are signed by their producer, not by Google (for comparison, the iPhone apps are signed by Apple) and (b) there is no review process. Arguably, the app access rights model is also flawed. It relies on the user being able to decide whether to install an app that requires specific rights. Most people don't even understand what these rights mean and just allow them. In addition, there is no way of granting only some of the requested rights to the app and later granting more rights or revoking some, if necessary.
The comparison to Windows is just a bit far-fetched. Getting malware on your phone happens if and only if you acknowledge and specifically download & install a malicious app. It's not the simple fact that malicious apps get on the Market and it's nothing like going on the same site you've been using for years only to get you system hijacked with the help of an iframe where some malicious JS was injected.
Still, it wouldn't hurt if Google would establish a reviweing process. Whether it involves approving apps or simply testing apps as they are added, it would still help. Or even better, it opens up a market for third-party app auditors.
is that Google didn't really consider the need for OTA security updates initially.
It would be a much safer platform if Google could push security fixes as separate updates, assuming the affected component was "standard".
I try to keep my Desire at the highest OS version, but Desire development is slowing in favour of newer handsets, so I may need to eventually upgrade.
The real question here should be is it’ a real problem for teh avaerage Android user?.
If you only shop for and install apps from Google’s own Android Market orAmazon’s Appstore, are you likely to encounter it?
I would say app infection is likely that a Trojan.
If a couple of hundred people in the street were stopped and their phones inspected, how many would be infected as a percentage of the installed base?
Malware is a problem on Android. But how much of one?
Apart from the one that comes included on some handsets straight from the factory.
http://www.xda-developers.com/android/the-rootkit-of-all-evil-ciq/
Android's permissions system could be improved - made more fine-grained and have the user able to decline specific permissions before install for example - but it's good enough to prevent most malware being installed. Spyware which has a legitimate use might not be detectable, but most things are. Here's something like what people are shown when they download malware:
Welcome to Android Market. You have chosen to install "Talking Hamster". It requires the following permissions:
Connect to the internet
Read system log files
Detect running apps
Detect phone location
Detect user accounts
Connect to user accounts
Read phone identifiers
Read and write calendar
Read and write contacts
Read and write SMS
Send SMS to premium rate numbers
Phone premium rate numbers
Read, write and delete SD card data
Record audio
Prevent phone from sleeping
Do you want to continue?
Yep... that would scare the crap out of me... because I know what they are, and the consequences of their abuse.
However, perhaps the slightly thick user or kid with a new toy is probably going to accept anyway, because they want the 'Talking Hampster' and not let a few mysterious allowances get in the way.
There are probably enough of these kinds of users to make a zombie ecosystem worthwhile.
I say nip it in the bud now, before this stuff can escape the kill switch and run wild.
Or as the article says they could use one of the vulnerabilities in Android to bypass this completely
"In the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware.
Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90 per cent of Android devices being carried around today. Attackers know this, and they’re using it to gain privilege escalation on the device in order to gain access to data and services that wouldn’t otherwise be available."
You are utterly missing the point.
Normal punters won't even stop to review those and frankly there is no reason they should have to. It's a complete user experience fail.
Reading a page of fine grained permissions is a function for geeks only.
Expect Amazon to gain ground with their tigher controlled app store if this issue becomes bigger.
The only thing that will stop this issue becoming like the current win desktop scenario is that the average life of a handset is much shorter than a desktop.
Apples control freakery makes perfect sense in this case. People swap a small degree of freedom for the comfort that the only people sucking their bank account dry are their mobile telco's.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
