Just days after developers discovered more than 50 mobile applications containing a hidden Android Trojan, Google has acknowledged a security gap in its Android Market, and said it would take steps to prevent malicious apps from appearing there in the future.
We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through the Android Market.
Android security leadGoogle, Inc.
Google Android security head Rich Cannings said the company was busy building new safeguards for the Android Market to help prevent future attacks. The steps include a mixture of people and security -- similar to measures Google took last year to reduce the number of malicious websites appearing in search engine results.
"We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through the Android Market and are working with our partners to provide the fix for the underlying security issues," Cannings wrote in the Google Mobile Blog.
Security experts have warned that mobile application vulnerabilities would present a new and potentially lucrative attack vector for cybercriminals. Mobile malware has been surfacing in a number of third-party Android application repositories as well as unofficial applications that can be downloaded on jailbroken iPhones.
A hidden Trojan called DroidDream was discovered last week in at least 50 Android applications. The malware could gain root access to the smartphone, giving it the ability to view the device's sensitive data and download additional malware. Cannings said Google engineers believe DroidDream gathered device-specific codes to identify mobile devices and the version of Android running on the device, but it could have stolen other data, he said. Google is automatically deploying a malware removal tool to victims, which wipes the malware from the infected device.
Experts agree that users should continue to stick to official marketplaces where malware is less of a problem. But malware in official application repositories will grow worse, warns Charles Miller, principal security analyst at Independent Security Evaluators. Miller said Google's Android Marketplace differs from Apple's more controlled App Store. Apple performs a scan of the application's binary for private APIs and other issues that could harm the performance of the iPhone. The centralized control has helped keep the iPhone relatively safe, he said. Anyone can put apps in the Android Marketplace, Miller said, "but at least users can see what other users think of the app and if something is really bad, Google can come in and remove it and also remotely remove it from user's phones."
"This centralized control helps reduce the risk of malware a little, but it is still becoming a problem and will continue to become even worse," Miller said. "Apple takes the centralized control a step further and examines each app before it is allowed in the Apple App Store. One can argue this restricts freedom of developers, but from a malware perspective, is the safest approach."
Tackling the problem of malicious applications is a complicated issue for Google and Apple because a whole ecosystem has been established around developing, hosting and deploying mobile applications, said Dave Wichers, a member of the Open Web Application Security Project and co-founder of Aspect Security. Like the desktop, as a platform's market share grows it becomes a target, Wichers said. The latest market share data from Nielsen shows Google edging out Apple in Rim with a 29% share of the U.S. market.
"For Google and Apple to do something at all will cost time, money and effort but at the same time they have the responsibility to provide some level of assurance to their customer base that the apps that they're making available through their mobile store are safe," Wichers said.