So far 2009 has proven to be a great year for Android but, according to Kaspersky, 2010 could be a more trying time. Not because of a lack of awesome devices. Not because the Android OS won’t move forward significantly. But because hackers will be targeting Android users with malware and viruses.
From a Kaspersky Press Release issued yesterday:
An increase in attacks on iPhone and Android mobile platforms. 2010 promises to be a difficult time for iPhone and Android users. The first malicious programs for these mobile platforms appeared in 2009, a sure sign that they have aroused the interest of cybercriminals. The only iPhone users currently at risk are those with compromised devices; however the same is not true for Android users who are all vulnerable to attack. The increasing popularity of mobile phones running the Android OS combined with a lack of effective checks to ensure third-party software applications are secure, will lead to a number of high-profile malware outbreaks.
Of course Kaspersky is in the business of protecting against malware and viruses so they actually stand to GAIN if this theory is true. Still… they’ve got a point that can’t be ignored.
You know that little check box that allows downloading from unknown sources? You know the little “permissions” that show what the application can do, enabling access to your address book, dialer, and potentially whatever else they want? What if a stupid little game/application was designed that went viral which, unknowingly to unsuspecting users, features some “permissions” that weren’t really needed. And what if those permissions were used for… less than holy purposes?
Google themselves give apps in Android Market a rather long leash and there is a possibility something could get through… but surely the developer would be easily found and punished accordingly. It’s the out-of-market apps that probably pose the biggest threat. Of course flaws in the OS itself could open up some holes for hackers to attack but this is a much harder route.
In any case, users should get in the habit of checking the source/developer of the applications they download and making sure they understand what permissions the application asks for… and if something looks fishy and permissions that aren’t needed are being requested, look into it.
A virus isn’t possible without a kernel exploit because of the sandbox..
And an app couldn’t really damage your phone or steal important data from other apps.
Especially with the increased amount of 3rd party app stores (AndAPP, SlideME and most recently MiKandi).
out of market apps are still not run at root.
Contrast with iphone: many people are jailbreaking them in order to get cool apps from cydia, etc. And they won’t get any protection from Apple or other ‘mainstream’ services.
MiKandi, anyone using a porn app on their phone deserves whatever they get. Not saying porn is wrong, but there is a time and place for everything. Beside exposure to moisture voids most phone warranties.
I usually check that the rights needed by an app make sure they make sense. I didn’t install the password safe that required network access :D
-F
Think about this. You download a 3rd party browser application. You go to your bank website and enter your username and password. The browser application could, in theroy, send those values anywhere the developer of the browser choses. Just some food for thought.
Kaspersky is a troll and needs to shut the fuck up. This is all scare tactics to pimp their anti-virus wares. Of course they would say this. Totally meaningless garbage.
Sounds like Kaspersky is raising FUD in the android platform in order to sell some of their anti-virus services/products.
Mobile OS is more locked down than PC/Windows. There’s few opportunities for virus and thus little market for anti-virus makers ;)
At this point, this is pure FUD. Kaspersky is a bad company with a good product, and they’re really just attention-whoring…
the sky is falling … the sky is falling …
But doesn’t the Moto Droid already ship with malicious programs like USA TODAY that eat all of your battery life?
Dean stfu. Idiot comment.
Google should do a virus scan on all apps before they are allowed into the market. That doesn’t take that much time or manpower and people who are willing to be the first to try out an app shouldn’t be guinea pigs to find out if it’s malware.
.
I know they’re going for a hands-off approach to the market, but this seems like something everyone could agree on.
“Google should do a virus scan on all apps before they are allowed into the market.”
As far as I know, no known viruses exist. What should Google scan for?
Also the security design of Android should hopefully make these kinds of programs much less feasible. Consider a virus… it replicates itself to other devices without the user being involved… but on Android an application can not install any other software outside of its sandbox without the user being involved. So if a virus is written, it is finding a way around the security system, so the fix is a security update to plug that hole rather than scanning for the virus.
There are of course lots of things apps can maliciously do still, but most of these on Android should be more in the realm of malware than viruses.
(Of course if you are running a rooted phone where you have allowed apps to be installed as root, that is a perfect virus attack vector. Be careful!)
@Dianne
You’re probably right, I was thinking more along the lines of and app doing more than it says it does. Virus was not the right word, I meant malware. But I guess the apps would have to ask for permission and although they could easily fool some people into giving permission there’s probably not really any way software could tell a malicious action from a feature.
It’s really easy to steal info from an Android phone even with the current permissions implementation. Let me explain.
Say I’m the bad guy. I will release App1 that has permissions to read some private info (say GPS location) and permissions to read/write to SD (say, like My Tracks with internet access). Another App2 that has internet permission (say to download feeds, pictures, etc) and read/write access to the SD (say to cache those feeds, pictures, etc).
Since I wrote both the apps (the developer name on the market could be different), I can make App1 write your current location to a particular file in the SD card, and App2 read it an transmit it to my website. So, separately, those 2 apps look harmless, but together, they can be used to track you current location.
There are 2 things that need to be done to fix this and Google hasn’t implemented either one of them.
1. Implement Apps2SD so that the apps can use the SD to store cache info, etc, but still prevent one app from accessing the data of the other app.
2. Even if Apps2SD in implemented, one could easily write an App that can give a valid reason to access the internet (say, to check for updates) while accessing private info. Most of the apps do this already. If Google let the user selectively deny the requested permissions, then the user can still use the app without having to worry about the private info being uploaded. Say, it’s a backup app that also lets you back up your phonebook to a remote server, if I can deny just the internet access, I can continue to use the app and be sure that my phonebook is not getting misused.
Hope someone from Google reads this and fixes these issues. The 2nd point is not really that difficult to implement. They just need to have this as an option under “Manage applications”.
-SK
@SK, correction. I meant like My Tracks *without* internet access.
as far as programs on the market. google must do some type of check before it gets posted. cause if they did nothing they’d be lyble for whatever that program does no matter how much they say otherwise. plus i remember google ripping down a few apps cause they did more than what they said. they did nothing bad just there was no full disclosure
@Farch,
Read my earlier post on how just checking security permissions for internet access is not sufficient.
@sk but i’m still not waisting my money on an unproven antivirus software since thier are no known viruses for android for them to protect us from. all we have is a trust us it works. but every other linux forum will tell you not to since there’s no way for it to scan anything cause of the sandbox.
you should be made aware that the dev’s apps can run code within each other, and when you install an app that has a counterpart on your system it should list all the permissions for the currently installed + the one you are installing. they should make apps to where enough 1 star ratings makes the app private and no longer in the list unless you search for the package… i really don’t want to see UAC prompts on meh droid.
either way SK, the anti virus program wouldnt detect anything like that. best to just do your sensitive transactions on a PC that you consider safe.
I never said an antivirus program is useful. Just complaining that Google has left big security holes when it should be easy to fix them (at least point 2).
Ok,,, to those that said the sandbox will protect, and not allow a malicious app to steal information from another app, that is incorrect.
the app will set permissions during the install..
and if you look,, there are apps that intercept sms messages that are encrypted and take those and use them to control the phone.. such as the apps you would use for tracking your phone, you can even send an sms to your phone, the spy app can then poll gps, and poll phone state, and send an sms back to you with the location and even the new phone number of the phone if its been re-activated…
so yes,, malicious apps could be stealing your facebook password, your phone number, your location, your ip address.
there are a multitude of things that a lowsome person could use this for…
the things that worry me are
1. app that uses my sms and mms to spam other numbers ananonymously.
2. app that spams using my email. and ive seen this first hand. because I downloaded an app from the market, and after installing it, my facebook was then a fan of their developement team suddenly, and I also started receiving emails from the app developers about other apps I would probably like, now the problem with that is, that their app accessed my facebook some how and fanned me without my knowledge, and somehow retreived my primary email address on the phone…
3. making phone calls… and dont say it cant happen, because I use google voice, and that app has access to the phones api and can initiate a call, so it can happen.
4. monitoring your banking information or anything else you do on your droid.
this completely scares the crap out of me.. and what scares me even more, is I have not been able to find any type of network monitor, or kernel process monitor for the droid that allows you to see what apps are linking to. or doing with your network..
on my old winmo phone there was an app that would show all the dll`s, processes, and services and registry keys that a program was using, plus allowed you to monitor its network access..
now granted I know that android/linux is not windows mobile, but there would have to be a similar way to monitor what an app is doing. and these little antivirus progams that are in the market just seem like a joke..
It’s going to be hilarious the first time a big exploit gets abused on Android and Google realizes they don’t have the any good method of pushing updates out to all devices. Many Android devices are only ever updated when connected to a PC and special software is run, something many owners will simply never do. Imagine Windows, but without Windows Update, without Windows Defender, and without third party anti-malware/spyware/virus apps.
The claim that Android apps are locked down doesn’t even help. Web browsers are far more locked than Android apps and yet experience constant security problems requiring updates. Even ignoring exploits, there was a JavaScript virus on Reddit.com not that long ago. People who viewed pages infected by the virus were themselves infected and their account was then used to post more viral content to stories and messages.
This is why good web browsers have update checking built in and enabled by default. Android distributions, on the other hand, make it optional and dependent on who releases the phone. Good web browsers also check apps against an externally updated list of attack sites and malware. Depending on users to update is just too slow to keep up. Android doesn’t even have this basic external list checking feature.
If Android ever becomes as popular as web browsers, the owners are in for a rude awakening due to the poor security planning.
The Android market is fascinating isn’t it? Now even more confusing when you realize that Google didn’t plan for customer care for the NexusOne. Are they really the smartest guys in the room? Check out my blog post on this market: http://bit.ly/80XGOJ
The Android platform it has a very high risk potential in my opinion. This thing is happen because many people use their mobile devices to connect to sensible data, like bank account, for example.