Don’t click it: The app button at bottom left—which arrived with a free game from a Chinese Android marketplace— steals data if clicked. Roughly translated, the Chinese characters mean “system setting shortcut.”
Google and Lookout’s moves are a reaction to the relatively recent trend of malware writers intensively focusing on the official Android Market, and not just third-party app-dealing sites. “Since the vast majority of users rely on the official Android Market, it’s understandable that there’s increased focus there. At the same time, there are all kinds of other places where users can potentially acquire malware,” says Halliday.
Meanwhile, new research is finding that Android phones themselves are often vulnerable out of the box. At the Network and Distributed System Security Symposium in San Diego this week, one research paper painted a bleak picture, reporting that many major brands come with factory settings that amount to a preweakened immune system, with various settings fixed to allow apps to access personal data, such as GPS position or stored contacts.
Xuxian Jiang, a computer scientist at North Carolina State University, said that his group studied eight mass-market phones—the HTC Legend, Evo 4G and Wildfire S, the Motorola Droid and Droid X, the Samsung Epic 4G, and the Google Nexus One and Nexus 4S. All but the two Google phones came out of the box with permissions pregranted for apps to access data that isn’t needed for those apps to function, undercutting a pillar of Android’s permission-based security model. The researchers say they have notified the phone makers about the findings.
“There is a trend where malware is going to grow, and is going to evolve,” Jiang says. “Google’s Bouncer will be helpful to move in the right direction, but more work needs to be done to contain the malware growth.” And part of that should include making phones more conservative in what they allow apps to do by default, he adds. The effort also requires more and better screening tools; his group is working on one tool called Droid Ranger.
Permissive factory settings on phones are no accident, says Radu Sion, a computer scientist and security researcher at Stony Brook University. The hotly competitive commercial landscape rewards makers of devices that are easiest for average consumers to use. “The usability of devices becomes more and more important. Most vendors will err on the side of usability—then they will sell more.”
But creating an easy plug-and-play experience means not making the user individually authorize various data releases—which makes the devices more vulnerable to malware.
So far, the malware problem has been an annoyance rather than a major threat, but the pieces are in place for the situation to grow worse quickly, Sion says: “Android is not going to be safe anytime soon until we have some high-profile attacks. Right now, the malware is not a huge problem. Guys in Ukraine have not zoomed in on Android yet, but it’s very easy to come in there. It’s going to become a big problem.”