An Android malware developer is paying $100 for verified Google Play developer accounts, purportedly to more effectively flood the Android ecosystem with malicious code masked as legit applications. The news, first reported by security expert Brian Krebs, should serve as a stark reminder to Android users (and the IT admins who manage them) that the open nature of Google's mobile ecosystem makes it ripe for exploitation, particularly compared to Apple's mobile universe.
Android has garnered a reputation for being an insecure platform, and deservedly so. Trend Micro went so far as to deem Android malware as one of the top security threats for 2013. We witnessed several instances of cyber criminals exploiting the relatively porous Android app market to spread nasty code in recent months.
Android malware is a problem that's spiraling out of control as the tech industry and users collectively forget or ignore every security lesson they learned over the past decade-plus as they've struggled to protect Internet-connected PCs. While iOS users aren't entirely immune from malware threats, Android users face more significant threats. The reason: Apple is notoriously meticulous in vetting each and every app and bit of content that's added into the iTunes Store. "Say what you will about Apple's 'closed' or 'vetted' iTunes store for iPhone apps, but it seems to do a comparatively stupendous job of keeping out malicious apps," Krebs wrote.
The real trouble is that relying on users to exercise even a modicum of discretion as they eagerly grab shiny new Android apps out of the Internet ether is a recipe for disaster. End-user naïveté? End-user stupidity? Call it what you want. What matters is that end-users can be an overly gullible or trusting lot, and malware developers will continue to find techniques to further take advantage of that fact -- say, selling malicious apps under the name of a "Google-verified" developer.
Krebs spells out some common-sense solutions for end-users, but they may not be entirely realistic. Among them, he recommends that users "take a moment to read and comprehend an app's permissions before you install it." That's sound advice, but it's not necessarily practical. Just getting an average user to read all that legalese and techno-mumbo-jumbo, let alone comprehend it, is highly unlikely. They don't do it for websites, after all, which is why last year a group of privacy enthusiasts launched Terms of Service; Didn't Read (ToS;DR), an open source-inspired project aimed at helping users make better-informed choices before clicking Agree when presented with mind-numbing TOSes.
Krebs' second piece of advice: "Make sure you download apps that are scanned through Bouncer." That's good advice, but it's not a guarantee that the app you're about to download is secure. A study out of North Carolina State University from late last year found that Android's built-in malware scanner isn't entirely effective; in tests, researchers found it detected just 20 percent of malicious apps.
Krebs' third piece of advice: "Do a bit of due diligence before installing an app: Would you randomly grab some Windows program and install it without learning something about its reputation, how long it had been around, etc? Hopefully, no. Treat your phone with the same respect, or it may one day soon no longer belong to you."
Again, excellent advice, but malware developers have long found ways to fool users into trusting them though such tactics as masking malware to resemble legitimate software from reputable companies.
Nicholas Weaver, a senior researcher at U.C. Berkeley's networking group, responded to Krebs's report with an interesting proposal for curbing Android exploitation:
[The] biggest flaw in Android [is] the Blame the User permissions model.
With iOS, you have Apple's nazgul, err, lawyers and limited API (apps can't dial the phone or access SMS messages) protecting you, and what few prompts occur happen on first use, so users can meaningfully make a decision and have already established that the app can run.
With Android, the only thing really protecting the user is a huge permissions blob that all but an expert has no hope of decoding, and it's all or nothing: Either the app runs or it doesn't.
They really, really need to change this to shift a lot of scary permissions (SMS, phone dialing, private data access, etc.: All the stuff the malcode really needs to do) into "prompt on first use.
Krebs's reply: "You're absolutely right, IMHO. It's the same thing with privacy policies, only this time it's apps."
This story, "Google needs to be more like Apple to keep users safe," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.