By 
Here we go again. This seems like it’s becoming a weekly occurrence around the Android blogosphere. All I can say is this needs to stop. Like, yesterday. According to Xuxian Jiang, a professor at North Carolina State University, he found 10 apps from 3 different developers that were infected with a new type of malware (being dubbed as “Plankton”) in the Android Market.
Google was quick to respond (same day) and promptly removed all infected apps from the Market. The apps in question were mostly Angry Birds cheats and hacks and unlike previous malware apps, did not require Super User or root permissions to upload a user’s phone information to a remote server. While I would normally blame the user for downloading shady apps like “Nude Japanese Squid Girls XXX,” Angry Birds cheats is a totally different story. This new security breach definitely brings the spotlight on a glaring problem with Android’s Market.
All I can say is I’m getting a little fed up. I honestly hate reading about new malware apps week, after week after week. While locking down the Market somewhat would limit the amount of apps in Android Market, I think not doing so would cause more harm. If people become scared to download apps from relatively unknown small time developers, those devs will go elsewhere.
Of course, I would love to get our readers point of view on this one. Although there’s no easy answer, what do you guys think should be done about this difficult malware situation?
[Via MobileBeat]
As nice as an open market is, malware is starting to become an issue. Google needs to start checking apps. Not approving or disapproving them in the way that Apple does, but simply checking if the app is malicious or not.
But the question then is how exactly do they do that? An app wanting your call history might want it for legitimate reasons. How do you fight against these kinds of apps?
Except for checking for known malware I doubt that is possible. Manually reverse engineering and analyzing the code is too time consuming and expensive.
Reducing the things apps are allowed to do would help, but then you wouldn’t be able to install replacement dialers, sms apps and so on. That wouldn’t remove the risk from privilege escalation exploits either.
Something Android really needs is a better and quicker update mechanism for security updates. With Android 2.3.4 you can be reasonably sure all known vulnerabilities are fixed, but for older versions of Android there’s no easy way to tell if your manufacturer has backported all available fixes.
I really doubt Stephen D. had in mind ” Manually reverse engineering and analyzing the code”. What he probably has in mind is something like what CNET does iwth software they offer: it has to survive CNET’s own virus scanning before it is offered to the user, whose virus scanning software might not be as up to date or thorough.
Google certainly can and should provide at least that much: and since they are always bragging what hotshots their engineers are, it should not be so difficult for them to keep ahead of the malware authors.
Google might be doing this already even. But that doesn’t stop new malware, or malware changed subtly so that it no longer matches the signature the antivirus scanner looks for.
As I understood it, this news article was about a new malware?
I agree. If Google is able to check applications to an equal or greater level than what Apple do to their apps then that would be great. Applications can still be published without Google’s check but apps that pass Google’s check would get some kind of badge or indicator saying they good. Maybe there are additional checks that developers can submit themselves to with Google which would give higher credibility from those developers who release apps that those pass those additional developer checks. I’m guessing the developers who produce malicious apps would fail such credit checks as they tend to keep themselves anonymous where as legitimate developers could be tied to something very tangible (e.g. credit check). Unchecked applications would still be a problem but only to those who take the risk. Majority of users would probably only go with checked applications.
They might as well have SOME scan and approval to prevent malware. No locking down like Apple, but SOME monitoring. At least they get to it fast…
One of the main advantages in Android is its agile dev system, so updates and speed of rollout need to fast.
Also what are you scanning for ???
If its for known malware code then I would assume that the hackers will get wind of this and change it.
And does Google need all the bad press of Devs getting pissed off (like they do at Apple), when an App is pulled but there is no real reason for it.
This is the pain of (sort of) open software.
nude japanese squid girls XXX???????????
anyone who downloads this deserves a virus
totally worth the risk ;)
I was the first one to download that app, lol. NOT
I’m wondering how Christopher knew about it? Makes me think someone is into japanese girls with tentacles instead of human arms.
Some Anime fans are into the weirdest things. That’s why the call them ‘otaku’!
Better that than “nyan cat”!
I applaud your choice in pictures for your articles
Cheating on angry birds….naw they still deserve to be infected! :)
Exactly
Some people flash ROMs or had to wipe to properly update to the newest OTA. All that progress….. lost. Forever. Sad. =(
Titanium backup baby!
I don’t thank that will help in the scenario C. C. had in mind. sure, it will back it up, but it does not help you restore it — except back to the pre OTA firmware, which means the security updates are lost. What the user REALLY needs is the ability to merge the security updates of the OTA but the data accumulated with the previous system, including whatever application software he downloaded. I don’t see how to accomplish that with Titanium backup. What he needs is ‘patch’ on steroids, for the Android OS.
But this is hard to do, which is why it takes so long for the carriers to roll out updates with OTA.
I totally agree! What kind of retard needs a cheating guide for Angry Birds?!
I like that, how you simultaneously asked and answered your question.
The question contains the answer.
Firewall China. End of problem. No more dodgy apps, no more dodgy ebay items.
no need to worry, their government has done it for them.
It is s-o-o-o tempting to believe that. But no. There are a lot of bad guys out there other than hackers paid by the Chinese military. There is, for example, the infamous “Russian Business Network”, the IT warfare arm of that even scarier organization, the Russian Mafia.
If lookup can scan an app as I install it, why can’t Google do the same when devs upload their apps?
Sorry, “Lookout” is the app that scans all my downloads…
a virus scanner is onli effective if it is updated. scanning aint the issue here. finding new virus and removing those apps in a timely matter is.
Scanning is still important even with a new unknown virus, because it will eventually become updated on your virus list. So even if it gets through the initial scan and you’ve downloaded it to your device, it will eventually be removed through a weekly scan. I don’t think it’s “the answer”, but I do think it’s part of a solution.
Lookout (or any other virus scanner) can only scan for things it knows about. This inherent limited can be somewhat mitigated with heuristics, but in the end a malware scanner needs to know what it’s looking for. With a test-bed of millions of users, if only a couple get a virus and then report it, the scanners can be updated to recognize these issues, thus protecting the vast majority. On the other hand, for Google to test all incoming software, they would not have this advantage. Thus they’d need to resort to more difficult methods of inspection – and without enforcing developer to submit their source code to Google it’s a lot harder to guarantee that everything approved is perfectly safe.
Simple idea here, require official Google monitoring or checking of any that requires any advanced permissions, such as phone sms access, phone access, etc. For apps that require SD card access, developers can ask Google to verify their safety and receive something to show for it, the same goes for other parts. But tbh i wouldn’t be to worried about an app that just requires internet access! We dont need full app checking for every app, just check those that could be dangerous, and run more thorough automated ones for all apps.
LOL hilarious. The benefits of being “open”…
I think I had that dude for my data structures class 10 years ago :P
As appel1 said, trying to implement a system that “scans” apps to prevent this stuff would be futile.
people like to hold up the apple app store as an example, but they don’t reverse-engineer the code, either. things have slipped through into their app store (such as the app that had a hidden ability to turn on tethering). the only reason they don’t have the problem (as much as) we are having is that their apps don’t have as many possible permissions as ours do.
so how do we fix it? curation is the only solution I can think of… the “editors’ choice” apps are a good start but the “editors” are spread a bit too thin, I think, to cover the massive market inventory.
perhaps google could develop some sort of peer-review system where trusted developers, users, and researchers can analyze an app (install it, monitor the data it sends and accesses, etc) and put their stamp of approval on it…or give feedback to the app dev as to what they should change in order to get their stamp of approval. you’d see an app that has a few trusted stamps and you could be fairly certain that it is safe.
you’d have to give these people a reason to do this work, of course… probably monetary. perhaps a small chunk of what google is collecting on the sales of the app in question. small price to pay to keep the market from becoming a total cess pool.
I still think Google should just offer an approval service. Devs could request that their app be submitted for approval; and once reviewed, receives a designation as “malware/spyware free”, or similar. While the app is still in the approval process, the app would still be available on the market, just not designated as approved. The user can then decide whether or not they want to install an app that has not yet been approved – perhaps a “pending” notification could even be listed on those apps that have requested approval, but not yet received.
It would be good for the devs as they can list their apps immediately as is currently the practice, while also giving them the ability to stand out as having an app that’s been approved (once it has). Likewise, it does not restrict the users’ choices in available apps (as they are all still available), while giving them the security of having vetted apps (which they can choose to install exclusively, if they so desire).
Android malware is referred to as “Plankton”?
Er… why? By whom? I don’t get it.
I agree. Gives plankton a bad name.
By Sponge Bob fans, obviously;)
If only google vetted applications before allowing them into the market. hmmm. nah. that would never work.
I don’t think it is possible for Apple to discover new exploits in an efficient matter…I believe they mostly check for offensive things, design,
crashes and obvious things like that.
Once an exploit is discovered, either the OS can be patched or files can be scanned or unpublished….but that is the easy part. However, there may be be a few things that can be done through an approval process–checking for unnecessary permissions, sniffing network data transfers, and things like that. But I don’t think certifying something as “malware free” is possible….perhaps “no known malware” is more honest.
Even if Google Market vets applications, what about other markets? Amazon App Store?
Rumored: Best Buy App Store.
Other sources?
I suppose it is like buying anything. Do you trust the source you are buying it from? Do you trust the developer? Do you trust the permissions the app is asking for?
I use “Lookout” to scan all apps before their installed on my phone. It’s also set up to do weekly scans to look for Malware, viruses, etc. With all the Malware sneaking onto what used to be a secure Market, I won’t download anything to my phone without it.
As an app developer, I like it that it is so easy for me to upload my app. But on the other hand, I don’t like that these malware apps will make people afraid to try apps they haven’t heard of like mine.
I think we need a multi pronged defense. First, I’d like to see Google scanning apps for viruses. If there are known exploits, they should be able to detect them in the apps in their market. When a new exploit or vulnerability is found, add that check to their constant scan of the Market. Then they can proactively remove apps before some Professor in Hicksville, AL does.
Second, I’d like to see +- option for comments in the market, in addition to the app rating. If one downloader leaves a bad comment, it’s easy for someone who had a similar negative experience to increase the comments ranking than it would be to leave a separate comment. If the negative comments get the higher rankings, more weight is added to that commenter’s Star Rating. Lower rated apps, get less attention in the Market. A significantly low rating, should shoot the app over to an approval pool.
I’d also like to see more options for the post uninstall survey. If the option for “defective/malicious” is checked that could throw the app into an approval pool that Google could verify the claims.
With this approach, Google only has to “approve” apps that have gotten significant flack from users. Let us police our Market, let Google pronounce judgement and sentencing.
Of course, for the truly concerned, you are also free to install local scanning software. Make sure to read the comments on any app first. Look for apps with well executed descriptions, screenshots, and legit developer sites. Compare similar apps and make sure you know what permissions an app requires.
M@
I also think Google needs to put these developers through the ringer before allowing them to submit new apps to the Market. Make them provide complete proof of identity, IP addresses, Drivers License/SS numbers, etc. If they are then found to have submitted Malware or other harmful virus via an App, ban them for life and press criminal charges. Only THEN will this type of nonsense stop.
This is a good idea. In fact, Verisign thought of it years ago. Before you can get a CA signed cert claiming to represent such-and-such company, you have to prove to them that you really are who you say you are. They realized that otherwise, the “web-of-trust” breaks down and breaks down badly.
The “web-of-trust” never even got a chance to get started on the Google Android Market.
Is this really a problem? I mean how many people actually downloaded the malware before it was removed? Unless we are talking about popular apps I think the issue is overblown.
On the one hand, you got a good point, and google really have to clean up the market, but they have to do it with sense. Not like Facebook doing these days, “cleaning up” FB apps with no apparent reason! I mean this “Plankton” thing, I have to say I read the entire article by the prof. that discovered it, it doesn’t seem to actually do anything malicsious… Just looks at your history and IMEI, no different than saving cookies! So I think google needs to clean up the bad stuff, but not do it over aggresively.