Android smartphones are expected to reach about half the market by year's end, surpassing iOS as the market leader in such devices. Android smartphones (and tablets) are also among the least secure ones available, thanks mainly to the Android Market being full of Trojan horses and other malware masquerading as legitimate apps. Just this week, Google was revealed to have removed another dozen or so of such malware apps, months after they entered the uncurated Android Market.
Like a desktop operating system, Android is open to apps, and as it gains market share, it's become open to cyber criminals., though Apple's iOS has been largly safe from such attacks, thanks to its tighter control of what goes in its App Store. However, iOS is not immune, but the number of successful malware placements in the App Store is very low.
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
Users circumvent Android's defenses
What's scary about the Android Market being a malware cesspool is that there's not much that can be done technologically about the problem. You can't really lock down an Android device as you can BlackBerry OS or iOS. And the security mechanism that Google has bulit in to Android is easily defeated -- by users, who happily give malware apps the permission the Android OS makes them seek to access information stored on the device as well as access to other apps on the device. "The user is prompted for that access by the OS, but clicks OK until he gets through" to the promised game or service, says Claus Villumsen, CTO of mobile security firm BullGuard. Worse, there's an attack that circumvents these permission requests by using a hole in the mobile Chrome browser, he notes.
Because there are so many legitimate-seeming malware apps in the Android Market, "Android is the No. 1 delivery mechanism for spyware and Trojans," Villumsen notes. When the user finally has given the malware permission to open everything and discovers the app either does nothing or, worse, actually does provide a game or what have you (so you don't have a clue you've been duped), it's too late: "You can become a bot as with a PC. They send text messages to premium services so you get billed. They can monitor SMS and delete messages, as well as monitor and send local data, such as your bank info and photos."