By John D. Sutter, CNN
March 2, 2011 4:14 p.m. EST | Filed under: Mobile
Several apps loaded with malicious software were sold through Google's Android Market.
(CNN) -- Google's Android Market experienced its first real security lapse on Wednesday as more than a dozen apps were were found to be lined with malicious code that could be used to steal user information and more.
These apps were promptly pulled from Google's smartphone app store, but not before raising serious questions about the Android Market's safety.
Unlike Apple's App Store, the Android Market prides itself on being "open," which, in geek speak, means Google doesn't hand-pick the apps that will be sold for phones running its operating system.
Apple, by comparison, approves apps individually.
This makes Google very popular with developers, who know that apps they develop for Android will be sold online as long as they comply with certain guidelines. But this freedom comes with a drawback: Security risk.
The blog Android Police, which helped call attention to the malicious apps in the Android Market, put it this way:
"Openness -- the very characteristic of Android that makes us love it -- is a double-edged sword."
Others go further, saying Google should screen and approve apps like Apple does.
"It would be a good thing if Google would take -- dare I say it -- a leaf out of Apple's book" and approve apps before they're posted, said Graham Cluley, a senior technology consultant at the security firm Sophos.
"If you allow anyone to put their goods into the store, there's a chance that someone may be poisoning things or putting something malicious in there," he said. "Inevitably, it opens up opportunities for the bad guys. And as Android popularity continues to increase, that's going to become more and more popular with the cyber criminals."
Apple does a better job with security, he said.
"Apple has, by and large, run a very tight ship with the iPhone and it hasn't made it easy to get malicious software into the App Store."
Others cautioned Android users to be careful.
Users shouldn't give up on the Android Market, they should just be cautious about installing apps on Android phones -- the same way they're cautious about loading software on their personal computers, said a blogger who posts under the pseudonym Justin Case on the site Android Police.
Case, who asked not to be identified because he works in computer security, suggested users read reviews, check out the app's author and see how popular an application is before downloading it.
But those tips wouldn't have helped users spot the malicious apps that made it into the Android Market, he said, since there was no indication in the reviews that the apps might cause problems if downloaded.
"It's something that concerns me as a developer. I don't want to see my software affected. If (users) move away form Android then my income's affected," he said. "I don't want to see my phone damaged. I don't want to see other peoples' damaged."
Case contacted Google about the malicious apps and a Google engineer pulled them from the Android Market within 5 minutes, he said.
The dangerous apps exploited a flaw in an older version of Google's Android operating system, which the company had issued a patch for, he said. Some phone companies and carriers, however, he said, had not sent this protective update out to their users.
Case blamed the carriers for the fact that an estimated 50,000 people had downloaded the problem apps.
"I think Google had a really fast response to this," he said.
Google did not immediately respond to a list of questions from CNN.
Tom Parsons, a senior manager at Symantec, the company that makes Norton Anti-Virus software, also said Google handled the situation well.
"Kudos to Google for that. It was only minutes before all of these apps were pulled from the Android Market," he said.
Parsons said the fact that malware was posted in apps on the Android Market is "significant," but it doesn't necessarily mean Google has to change its policies about allowing anyone to upload an app for Android devices.
Symantec is one of the few companies offering an anti-virus software for Android phones, which is available for free in the Android Market.
With 1,000 new apps being posted to the Android Market every day, it would be nearly impossible to check all of them for security purposes, he said.
"To vet each one of those at a extremely low level would be extremely onerous," he said. "It's probably not too much of a surprise that this has happened."
Hackers move to popular platforms, Parsons said.
"It's really a case of moving where the money's going," he said.
For those Android users who worry they may have been affected, Mashable has a list of many of the problem apps, and Symantec posted a step-by-step guide to help users figure out if their phones have been infected.
Credit: CNN (www.cnn.com)
No comments:
Post a Comment