Have you heard this one: You know why the Android droid doesn’t have a mouth? Because it wouldn’t have much to smile about.
The joke, such as it is, reflects a new truth. While it’s safe to say that Android is enjoying considerable success in the mobile marketspace – it’s giving Apple’s iOS a run for its money – the platform is also under heavy pressure from different two fronts.
First, there’s the ongoing problem of version fragmentation within the platform. Google relentlessly pushes out new versions of the operating system even as handset makers and carriers simultaneously drag their heels over sending these new versions to customers.
The upshot of this is that most Android handset owners are one, if not several, versions behind the latest.
The second pressure on the Android platform is from malware. The bad guys have begun a new land rush into uncharted territory, hoping to cash in on a new gold rush. While fragmentation is undoubtedly a big problem for Google, Android developers and Android users, the malware threat is far more serious because it threatens to undermine confidence in the entire platform. This is especially true when it’s compared to more secure mobile platforms such as iOS and Windows Phone.
But just how bad is the malware threat facing Android? I won’t sugarcoat it for you. It’s pretty bad.
It started a few months ago when security researchers began seeing rogue apps appear on third-party download site, particularly in Russia. Most of these rogue apps took the form of fake ‘free’ versions of popular games that had been Trojanized with code. The result was premium rate text messages being sent out behind the handset owner’s back. Some the app’s threats were more serious, capable of stealing information from the handset and even recording calls. Fortunately, their reach was limited because they were only available on low-traffic Android app repositories, and as a result handset infections were kept in check.
While the problem was low-key, Google could safely ignore it. Google pointed to the fact that users themselves were just as much to blame for infections because they granted these apps permission to send out text messages and access information stored on the handset.
But then toward the end of 2011 there was a shift. Researchers (and eagle-eyed users) noticed a shift in tactics among Android malware writers. They black hats became braver and began uploading Trojanized apps directly into Google’s official Android Market, potentially exposing millions of Android users to malware.
This was a game changer. By targeting the official Android Market, the pool of possible victims was increased hugely. Millions of Android users frequent the Android Market daily, and the lure of ‘free’ versions of paid games is too much for many. Google’s response seemed to be to just delete the offending apps (and the developer accounts associated with them) and pretend that the problem was gone.
On the surface it seemed like Google is playing whack-a-mole with malware and malware developers. Yet behind the scenes the search giant was working on a technology called ‘Bouncer’ which would scan the Android Market (both existing apps and new apps being submitted) looking for malicious code.
In fact, every app is run on Google’s cloud infrastructure to simulate how the app will run on an Android device. Will Bouncer work? Well, it’s better than nothing, but some in the security industry think that it will become ineffective pretty quickly. For example, BitDefender’s chief threat researcher Catalin Cosoi believes that malware writers will find a way to circumvent the screening mechanism:
Cosoi writes: “….based on our experience with malware analysis, malware writers will seek a way around security. For instance, in the PC malware world, we use virtual machines to analyze behavior of different samples we discover. Obviously, in time, malware writers added different routines to detect if the virus runs in a real computer or in a virtual environment, and they modified their software to act legit when running in a control environment. We might see the same phenomenon here, as Bouncer is a service that will emulate all apps uploaded on the Android Market.”
According to Google this technology has been running ‘for a while’, so it’s clear that ‘Bouncer’ is a work in progress and needs more tweaking. But there’s no doubt that it will get better, and that this will make it harder for malware authors to get bad code into the Android Market.
Notice how I said harder, not impossible. Android malware writers are already getting smarter and using advanced techniques such as steganography and polymorphism to make detection harder. Google’s going to have to work hard to stay at least one step ahead.
Bouncer is also far from complete when it comes to what it looks for. While it does scan for malware, it doesn’t look for ‘greyware’ code, a category that includes things such as spyware, adware, and aggressive ad platforms. While ‘greyware’ isn’t technically malware, as far as most people are concerned it’s undesirable because it’s annoying and can suck additional bandwidth which can end up costing you money.
As the good guys get smart, the bad guys get smarter.
Malware in the Android Market and other app repositories is not the only problem facing Android. Another threat to the platform comes from ads and bloatware.
Ads present a problem because people don’t know at install time whether they’re giving the app permissions, or the ad module that’s baked into the app. This is a problem because the app might genuinely require specific permissions to work properly, but the ad module that also forms part of the app is unlikely to need the same permissions. This is true despite the fact that the Android OS gives the module the same set of permissions.
This is a problem in the way that Android works, and something that Google could do something about if the company desired.
Bloatware is also a problem that needs solving. While Google is responsible for Android, the handset makers and carriers all want to add ‘features’ to the code. All this additional and unnecessary code brings with it more vulnerabilities that users have to contend with.
It’s hard to see a solution to this other than having greater scrutiny of the code. Google can’t ban the handset makers and carriers from adding this code. And the makers and carriers think that personalizing and branding Android handsets is important for differentiation in an already packed, cutthroat market.
So, what’s the solution to this problem? Well, first I think that Google needs to gets its app screening process working effectively. This would become the first line of defense between the bad guys and the end users.
Google’s going to have to work hard at keeping ahead of the rapidly evolving landscape, but given how much money the company makes from Android (currently around $2.5 billion a year, a figure that’s set to double), the company has a incentive to make Android work and avoid bad press.
Handset makers and carriers can also do their part by paying closer attention to the code they preload onto handsets and by making sure that updates are sent to users in a timely fashion (both updates to their code, and Android updates). One of the best ways for users to stay safe is to be running the latest and greatest version of Android, but statistics show that most users are one or more versions behind.
Can Android handset owners do something to protect themselves? Sure they can. First, they can familiarize themselves with app permission that they are asked to grant after installing a new app.
A game doesn’t really need to be able to send SMS messages and access contacts and other data held in storage. Permissions offer the user a reasonable level of protection, but it seems that most are clueless when it comes to understanding them.
Another thing worth considering is an anti-malware program. While most free anti-malware apps for Android are useless, there are some good products out there made by reputable firms such as Symantec, F-Secure and Bitdefender. They’ll offer you all-round protection against emerging threats. These solutions will cost you, but you have to ask yourself the question: can you put a price on peace of mind?