Skip to main content

Google's Android Market web store opens new malware threat

Security researchers at Sophos are urging Google to remove automatic over-the-air installation of apps as a feature from its new web store, noting that it makes the silent addition of malware and spyware to Android users' devices far too easy.

Google announced its new web-based Android Market last week at its Android 3.0 Honeycomb introduction, as part of an effort to kickstart slow Android app sales, something the company said it was "not happy" about.

However, just days later security firm Sophos has issued a warning that says Google's implementation of app sales via its website is flawed because there is no acceptance step by users on their phone.

Unlike Apple's iTunes Preview website, which allows users to browse for apps on the web but then directs them to iTunes to securely complete their purchase, Google's new web-based Android Market allows users to select and buy apps directly on the web site and then have the apps remotely installed on their device, something that is touted as a unique feature.

What if somebody else installs an app on your account?

Purchased apps are then streamed directly to the user's handset and automatically installed. The problem, researchers say, is that there is no approval mechanism that would indicate to a user that apps are being installed. Therefore, if a third party were able to access a user's account information, they could easily install apps on the user's phone without that person being aware this was even happening.

Additionally, apps on Android have far broader access to features on the phone; Google leaves the security ramifications related to apps up to the user when the app is being purchased. For example, an app that wants the ability to read all data on the phone, send fee-based SMS messages, and track the user's location must note these requests in Android Market, leaving it up to the user to decide if those requests are justified or reasonable.

However, because the new web store makes it easy for a malicious third party to bypass these choices and simply install apps behind the users' back, Android users must now be extra vigilant to monitor what apps are installed on their phone, because there is no curation by Google and no installation approval on the device itself.

In contrast, iOS apps must first pass Apple's review process and then the user must manually download the apps through iTunes or directly from their iPhone via the App Store app; Apple never beams apps directly to users' devices for unattended, quiet install.

Fishing for Passwords

Android's new security problem requires users' passwords to be intercepted by a malicious third party. Apple's iTunes users have already been regularly targeted by multiple attempts to either guess, crack or simply "phish" their passwords by malicious users seeking to obtain access to their accounts.

The difference is that with iTunes account information, all a malicious user can really do is make unauthorized purchases. This has created a booming market for stolen iTunes account credentials, inducing Apple to take steps to require users to select harder to guess passwords and to verify their credit card information on new devices the first time they are set up. This has greatly reduced the value of stolen iTunes accounts, as it prevents thieves from making purchases using new devices unless they have the accounts' full credit card information.

In contrast, with a stolen Android Market account, malicious parties can not only make purchases, but also set up targeted, powerful malware that is "sold" to the user without their knowing and silently installed on their device wirelessly with no notification. These apps can then track the user, access their calling information, collect all kinds of sensitive information on their phone, and then upload it to foreign servers before the user is even aware that a new app was installed.

"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."

Oops I did it again

"Google should make changes to the remote installation mechanism as soon as possible," Svajcer warned. "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."

Until Google takes notice of the problem, Svajcer recommended that Android users choose a strong password. The millions of new Android users will also want to make sure they don't fall for phishing scams the way millions of iTunes users have. Rather than facing refundable unauthorized purchases, they could find their personal smartphone loaded up with malware, recreating the security meltdown similar to the one Microsoft faced with Windows XP.


Popular posts from this blog

Top 5 Women Who Impacted Technology in 2010

Katie Stanton, International Strategist for Twitter Katie Stanton has impressively long names of companies in her resume. They include the White House, Google Inc, and her latest addition is Twitter. Her remit is working on Twitter’s international strategy and her experience in social media will be a key asset to the company. Katie has a history of working in technology, and her knowledge of departmental laws will help Twitter work alongside government agencies, as she’ll be spearheading the free information approach, especially after the Wikileaks incident. Stanton has been a key player in the techsphere for some time, and this extends to her private life. Following the Haiti disaster she worked with a group of engineers to create a free texting service to help those in need and she is constantly in demand as an expert in both social media and government policy.
Caterina Fake, Co-Founder of Flickr and Hunch Despite having a surname which sounds like a pseudonym for a spy (it’…

Evolution Of Computer Virus [infographic]

AT&T MiFi 2372 review

In the week or so that I have been testing the AT&T MiFi 2372 by Novatel Wireless, it has already saved no less than three lives. First, it saved my cable guy’s life. You see, Time Warner Cable provides the worst home Internet service I have ever experienced. I can’t even think of a close second. If providing terrible home Internet service was a sport, Time Warner Cable would be on its tenth consecutive undefeated season. Forget the fact that my upload speed is capped at 60Kbps and I’m lucky if I can get half that — it has been months since I’ve gone through a full day without at least one service interruption. Months. Unfortunately, Time Warner Cable has an exclusive contract with my building so I have no choice but to endure its abysmal service. Last week, as a Time Warner Cable technician entered my home for the sixth time in two months, I realized that this certainly would have spelled serious trouble had it not been for my trusty new back up device. Before the Mi…