The claim that Android apps are locked down doesn’t even help. Web browsers are far more locked than Android apps and yet experience constant security problems requiring updates. Even ignoring exploits, there was a JavaScript virus on Reddit.com not that long ago. People who viewed pages infected by the virus were themselves infected and their account was then used to post more viral content to stories and messages.

This is why good web browsers have update checking built in and enabled by default. Android distributions, on the other hand, make it optional and dependent on who releases the phone. Good web browsers also check apps against an externally updated list of attack sites and malware. Depending on users to update is just too slow to keep up. Android doesn’t even have this basic external list checking feature.

If Android ever becomes as popular as web browsers, the owners are in for a rude awakening due to the poor security planning.

the app will set permissions during the install..
and if you look,, there are apps that intercept sms messages that are encrypted and take those and use them to control the phone.. such as the apps you would use for tracking your phone, you can even send an sms to your phone, the spy app can then poll gps, and poll phone state, and send an sms back to you with the location and even the new phone number of the phone if its been re-activated…

so yes,, malicious apps could be stealing your facebook password, your phone number, your location, your ip address.
there are a multitude of things that a lowsome person could use this for…

the things that worry me are
1. app that uses my sms and mms to spam other numbers ananonymously.
2. app that spams using my email. and ive seen this first hand. because I downloaded an app from the market, and after installing it, my facebook was then a fan of their developement team suddenly, and I also started receiving emails from the app developers about other apps I would probably like, now the problem with that is, that their app accessed my facebook some how and fanned me without my knowledge, and somehow retreived my primary email address on the phone…
3. making phone calls… and dont say it cant happen, because I use google voice, and that app has access to the phones api and can initiate a call, so it can happen.
4. monitoring your banking information or anything else you do on your droid.

this completely scares the crap out of me.. and what scares me even more, is I have not been able to find any type of network monitor, or kernel process monitor for the droid that allows you to see what apps are linking to. or doing with your network..
on my old winmo phone there was an app that would show all the dll`s, processes, and services and registry keys that a program was using, plus allowed you to monitor its network access..
now granted I know that android/linux is not windows mobile, but there would have to be a similar way to monitor what an app is doing. and these little antivirus progams that are in the market just seem like a joke..

Read my earlier post on how just checking security permissions for internet access is not sufficient.

Say I’m the bad guy. I will release App1 that has permissions to read some private info (say GPS location) and permissions to read/write to SD (say, like My Tracks with internet access). Another App2 that has internet permission (say to download feeds, pictures, etc) and read/write access to the SD (say to cache those feeds, pictures, etc).

Since I wrote both the apps (the developer name on the market could be different), I can make App1 write your current location to a particular file in the SD card, and App2 read it an transmit it to my website. So, separately, those 2 apps look harmless, but together, they can be used to track you current location.

There are 2 things that need to be done to fix this and Google hasn’t implemented either one of them.
1. Implement Apps2SD so that the apps can use the SD to store cache info, etc, but still prevent one app from accessing the data of the other app.
2. Even if Apps2SD in implemented, one could easily write an App that can give a valid reason to access the internet (say, to check for updates) while accessing private info. Most of the apps do this already. If Google let the user selectively deny the requested permissions, then the user can still use the app without having to worry about the private info being uploaded. Say, it’s a backup app that also lets you back up your phonebook to a remote server, if I can deny just the internet access, I can continue to use the app and be sure that my phonebook is not getting misused.

Hope someone from Google reads this and fixes these issues. The 2nd point is not really that difficult to implement. They just need to have this as an option under “Manage applications”.

-SK

You’re probably right, I was thinking more along the lines of and app doing more than it says it does. Virus was not the right word, I meant malware. But I guess the apps would have to ask for permission and although they could easily fool some people into giving permission there’s probably not really any way software could tell a malicious action from a feature.

As far as I know, no known viruses exist. What should Google scan for?

Also the security design of Android should hopefully make these kinds of programs much less feasible. Consider a virus… it replicates itself to other devices without the user being involved… but on Android an application can not install any other software outside of its sandbox without the user being involved. So if a virus is written, it is finding a way around the security system, so the fix is a security update to plug that hole rather than scanning for the virus.

There are of course lots of things apps can maliciously do still, but most of these on Android should be more in the realm of malware than viruses.

(Of course if you are running a rooted phone where you have allowed apps to be installed as root, that is a perfect virus attack vector. Be careful!)