Before you Download an Android App!

With a slew of Android mobile devices streaming into the market, there is a lot of excitement around Google's Android OS and its market. A report by Gartner published in Feb 2011 makes this clear by pointing that in the smartphone OS market, Android grew 888.8 percent in 2010 and moved on to the second position, just next to Symbian which is still the supremo.

However, recently few security issues related to Android raised concerns amongst the consumers. Let us dig into some of these issues and the kind of threats that they have been posing.

Security issues with Android's 'Instant app download' feature

Until recently the only way to access Android Market was to do so directly from an Android device using the Android market app on the device. But recently Google launched the Android Market website that allowed users to choose the apps and automatically download them to their Android devices over the air.

What the user has to do, is to go to the Android Market website (https://market.android.com/) and sign in using his Google credentials and the application immediately retrieves information of Android devices registered in the person's name and also the data about market apps that have been already installed.

Once you choose a particular app that you would want to install on your Android device, the required permissions are displayed by the website which you can either accept or decline. But once you accept installation of the app, on the website, the app is automatically downloaded on mobile device in the background. That is, the user is not asked to grant permission on the device itself.

This makes it clear that downloading Android app through the website to your device is completely linked to your Google credentials. If someone manages to obtain your Google password, it won't be difficult for them to remotely install malware into your device without you realizing, as you won't be notified about the installation happening on your device.

Not only this, once you sign in your Android phone, using your Gmail, there is no way to sign out of Gmail. This means that if your phone gets stolen, your mails, chats, etc become accessible to the one who lays hands on it. Immediate thing to do in such a case is to change your Gmail password online, so that your Android phone can't communicate with Google and signs out automatically.

Sophos, a developer and vendor of security software and hardware, had recommended that Android Market's instant-download feature could open up Android devices to malicious downloads from attackers. Sophos has suggested that Google should change the remote installation mechanism as soon as possible so that customers have to approve the downloads, on the devices. It has also been recommended that the customers must make sure that they have strong passwords that are not easily guessable for their Google applications accounts.

Android's App Approval Process in question

There have been issues in the past with many malware apps being discovered in the Android market which were then banned by Google. Let us look at some of the malware that created significant threat to the users and the reason why this is happening.

There is a lot of excitement amongst the developer community on developing apps for the Android platform. This is because, the model that Android market follows is that once a developer develops an app and submits it, it goes live. This means that there is no stringent screening at Google's end which keeps a check on malware before an app goes live. Google doesn't minutely examine apps for approval and not only this, Android apps can also be obtained from a developer's website.

Once the app goes live, it is the Android market community which has the responsibility of flagging apps that do not abide by their policies. When an app is repeatedly flagged, it is being reviewed by Google and if it is found violating Google's policies, then it is banned. But by then the malicious app could have already done its share of harm.

There might be lots of applications floating in the market, capable of granting access to location data, personal information or, facilitate spying, or stealing money. This lot consists of not only malware, but also some apps which might be capable of accessing private information, but may not be intending to compromise user information. But the fact is, the scope to do so, definitely exists, which is a security threat. Users might be downloading malware blissfully unaware of the harm they are doing unto themselves.

This is quite unlike Apple's app store approval process, which is quite stringent. Every app submitted by the developer to Apple is said to be thoroughly reviewed and an app can either be rejected or approved depending on whatever is Apple's verdict. This is a checkpoint where most of the malicious apps get rejected, quite unlike Android Market where there is no checkpoint before app goes live.

Security threats in the past

Let us look at some of the malware that were detected in the past and the kind of threat they were posing. All of them have been banned by Google once they were detected as a security threats.

Droid09 : This app was said to allow the users to conduct banking activities like connecting the users to their specific banking institution to check balance, transactions and even transfer funds from the handset. The app would present the new users with a limited list of banks that were complete with company logos.

The user selects the institution with which it has to conduct a certain banking activity and then the user was asked to supply the login information for their online bank account. But once this is done, all that the app would do is to open a web browser to the portal of the bank that was previously selected just as if you have opened Android's browser and typed the bank's URL into the address bar. What actually happened to the account credentials that the user types in, was not known. This led to suspicion about the app being a phishing app and was banned from Android Market.

Geinimi : A malware that was said to possess Botnet like capabilities, Geinimi was attached by hackers to legitimate apps like Monkey Jump 2, and the corrupted app was redistributed in the third-party Chinese Android app market. When users download the 'seemingly-legitimate' app the Trojan gets to work. Though the ultimate purpose of the Trojan is not clear, it was capable of sending user data back to a central server, and the central server could send commands back to the phone, making it do things.

TapSnake : Tap Snake, was a free gaming application available for the Android OS. Symantec had identified a Trojan buried inside this video game and it was actually a spy app. The seemingly innocent game acted as a client app that is continually running in the background on the Android-based system and is capable of reporting the phone's location. But another Android device needs to install the paid app called GPS Spy so as to receive these GPS coordinates, download the data and then display it on Google Maps as location points. GPS Spy and Tap snake apps seemed to work in tandem and both of them have been banned by Google.

SMS Replicator: This app enabled keeping a tab on the incoming SMSes of a person you want to spy on.

Before downloading an Android App

The only way to try and steer clear of malicious apps is to pay attention before downloading apps. Download apps only from trusted sources and avoid using third-party apps. Take into consideration, the developer of the particular app and check the ratings and user reviews. When you download an app, keep eyes open for the permissions that have been asked for and avoid proceeding further if you find something suspicious. Also deploy a mobile security solution on devices to ensure that downloaded apps are not malicious.