Google Android: now secure
Malware hits the Mac but is it worth worrying about?
The security business has had little positive to say about Google's Android platform in recent times.
Among the headlines, Symantec detailed how simple it was to repackage an Android app with malware inside, Veracode has spoken several times about the need to scan applications, and McAfee claimed that in the third quarter of 2011, nearly all new mobile malware was targeted at Android.
That said, the bad press around Android apps is not without its evidence: fraudulent banking applications were found to have been posted on the Android Market in January 2010, followed by malicious applications a year later. So will 2012 feature more negative headlines? It is likely, but there will also be solutions launched to meet demand from users.
One voice that is not often heard in the argument is that of Google. Last week it issued statements on this issue; Adrian Ludwig, Android security engineer, said it frequently gets asked about how it defends users from malware and other threats and how a trustworthy experience can be maintained alongside Android's growth.
In another blog, Hiroshi Lockheimer, vice-president of engineering for Android, said device activations had grown 250 per cent year on year and the total number of app downloads from the Android Market topped 11 billion.
Lockheimer said it is launching a service called Bouncer to provide automated scanning of the Android Market for potentially malicious software without disrupting the user experience or requiring developers to go through an approval process.
“The service performs a set of analyses on new applications, applications already in Android Market and developer accounts,” he said.
“Once an application is uploaded, the service immediately starts analysing it for known malware, spyware and Trojans. It also looks for behaviour that indicates an application might be misbehaving and compares it against previously analysed apps to detect possible red flags.
“We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behaviour. We also analyse new developer accounts to help prevent malicious and repeat-offending developers from coming back.”
Lockheimer said in 2011 there was a 40 per cent decrease in the number of potentially malicious downloads from Android Market.
He also claimed that the drop "occurred at the same time that companies that market and sell anti-malware and security software have been reporting that malicious applications are on the rise". He admitted that while it is not possible to prevent miscreants from building malware, the most important measurement is whether those bad applications are being installed from Android Market, and he insisted the rate is declining significantly.
Lockheimer said Android was designed to make mobile malware less disruptive, learning from the PC model where malware has more potential to misuse information, and it features sandboxing, a permission system and remote malware removal.
“No security approach is foolproof and added scrutiny can often lead to important improvements. Our systems are getting better at detecting and eliminating malware every day and we continue to invite the community to work with us to keep Android safe,” he said.
I spoke with Chris Wysopal, CTO of Veracode, about this. He had spoken with me in 2010 about the need to scan applications for smartphones, both on the market/app stores and on the device.
Asked if he felt that this move by Android was a major step forward, Wysopal said it was an interesting development, and "great that Google was taking steps to address the inevitability of malicious apps in their app store".
“What were they thinking at first? Both Apple and Microsoft started their app stores with a validation process. Blocking known malware patterns is a no-brainer,” he said.
“The approach of running the app in a virtual environment is a good improvement beyond this. I hope Google can keep up with published rootkit code and research on vulnerabilities and add these patterns to their scanners. The process should be proactive and not have a window of time when tens or hundreds of thousands of mobile users can be compromised before the malware is detected and removed.
“If the process is reactive and there is a window of vulnerability we may see the same type of malware stasis that exists on Windows where there is always certain percentage of yet-to-be-detected malware and a certain percentage of Windows machines are always infected.”
Once described as ‘malware-as-a-service' by a CISO at an SC Magazine conference, there is some inherent flaws with Android, but, at the same time, its cross-platform nature and freedom from Apple's strictness are attracting users to it. A bit of security will do this brand no harm.