Google’s New Policy Won’t Help End Its Android Malware Nightmare
Google’s new policy for devs will do nothing to kill off Android malware – it’s technical steps that are needed, says Tom Brewster
Any steps Google takes to clean up the security mess that is the Play store are positive, but reports with headlines declaring the company is cracking down on “malicious apps” are wholly misleading.
First off, no technical changes have been made here. These are just rules – rules that should be obvious to any developer and rules that will be wantonly broken by anyone without a conscience.
I also fail to see what is so radically new here. It’s all so painfully obvious – don’t transmit viruses or worms, don’t create applications that pretend to be something they aren’t, don’t show images or footage of people beating the living hell out of each other. Then there’s the ban on apps that disclose personal information without permission. Erm… I thought that’s what the whole ‘Permissions’ section was about, no? I was under the impression that Google has always sought to keep such pernicious activity off of its store. All Google is doing is giving greater clarity to developers, which it should have done years ago, when Android was first introduced.
There is, admittedly, some encouraging stuff in the spam guidelines. “Do not send SMS, email, or other messages on behalf of the user without providing the user with the ability to confirm content and intended recipient,” the policy reads. Google knows that most Android malware doing the rounds right now makes its masters money by forcing the user to send SMS messages to premium rate numbers. At least the tech giant has recognised the issue at hand here.
And spelling out that re-use of app names and icons is not allowed is a positive step. Just recently, some nasty apps that made it onto the Play store were pretending to be Mario and Grand Theft Auto games. It’s a simple attack technique and one Google has to clamp down on.
But again, these are just guidelines, just words to scare the bad apples of the developer world. It is only through technical and procedural changes that Google will start to ease the proliferation of malware on its mobile store.
Beating the Bouncer
Google has made some technical changes to deal with actually malicious apps in the past, most notably the addition of Bouncer, which scans apps for known malware. But we know that Bouncer is flawed too, thanks to a presentation at the last week’s Black Hat conference.
After sending what appeared to be an innocent app past Bouncer, researchers from Trustwave started uploading components to make the software do dirty things. What appeared to be a perfectly legitimate SMS blocker was able to steal contacts, texts and photos. Yet it took two weeks for Bouncer to notice. If it’d been working at Wetherspoons, Bouncer wouldn’t have lasted a day.
Looking at Bouncer in a more general light, it seems to be just another form of anti-virus software. It just looks for malicious code. And as most in the industry know, anti-virus is old and tired. Even semi-competent malware creators can get their dodgy kit past them. As noted by the Trustwave researchers, Bouncer simply doesn’t look like it can handle sophisticated threats.
Google still does not have a proper vetting process for apps either. Within minutes, anyone can get an app on Play. This means that in many cases malicious kit is only removed after it has entered the store. In doing so, Google is again taking a dated approach to security. Rather than using innovative preventative methods, it is choosing openness over user safety.
Thanks to insufficient protection around Play’s perimeter, the Android marketplace has become the most perilous shopping zone of any major mobile OS. Let’s be clear here – this new policy is just a little refresh about what developers should be doing. But when did hackers ever care for guidelines? Google has a lot more work to do to make Play a safer place to… well, play.
Are you a security guru? Try our quiz!