Android malware has been an issue over the past year. Granted, most of the numbers we see out of security software companies are inflated — including malicious apps from third-party sources and ignoring small download figures — but that’s not to say that we can just brush that dirt off our shoulders.
Google knows this, and has for a while. Despite the fact that downloads of malicious apps are down 40 percent between the first and second half of 2011, seeing that 14,000, 30,000, or even 260,000 devices have been affected by this or that malicious app requires action. That said, Google is adding a new security layer to the Android Market: codenamed Bouncer.
Originally, the Android market implemented three different methods for ridding the market of malware: sandboxing, permissions, and malware removal. Sandboxing keeps one app from infiltrating another, with one very important exception: permissions. Google sees its permissions system as a layer of security in and of itself, but permissions can actually be seen as a vulnerability. In some cases, the reasons behind the permissions a developer asks for aren’t immediately obvious to the user, and it can be tough to check everything, especially to the novice user.
Past that, Google’s always been good about removing malware from the market as soon as the company becomes aware of it, and in some cases, has even remotely wiped affected devices of malicious apps. The tool is a useful one to say the least, but it’s not enough.
Bouncer adds another level of security to the platform, automatically scanning new and existing apps for known bits of malicious code. Google has actually been scanning apps whenever new malicious code is discovered, but Bouncer will automate the process, scanning for known spyware and trojans, too. Bouncer runs every new application on Google’s cloud infrastructure and simulates how it’ll run on a device. That way, Google can see straight away whether an app is misbehaving and flag it accordingly.
Another smart feature is that Bouncer isn’t 100 percent automated. Once something is flagged, there’s a manual process for confirming the app is indeed malicious, reducing the risk of false positives.
To be quite honest, the Android platform is way more secure than most people think. I spoke with Android VP of engineering Hiroshi Lockheimer, and he seems to feel the same way. “There’s this impression that Android is a huge target for malware, and I really don’t think that’s the case,” said Lockheimer. Google polices the Market, scans for known malicious code (though most instances of flagging in the past have been from users notifying Google), and is quick to act when an issue pops up. But where the platform has fallen short (in one respect), is the developer registration process.
Becoming an Android developer is as easy as pie. I actually did it myself just to see how easy it is, and it literally takes five minutes and $25. After clicking accept a few times, you’re good to go. In fact, developers can register under pseudonyms if they’d like.
From a certain perspective, this is amazing. It allows young entrepreneurs to offer a product to millions of users for a very low cost, lowering the bar for developers who can’t afford to jump through Apple’s hoops. At the same time, it makes it easy for malware writers to get the ball rolling.
Sophos blogger Vanja Svajcer said it best:
The requirements for becoming an Android developer that can publish apps to the Android Market are far too relaxed. The cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps. The attacks on the Android Market will continue as long as the developer requirements stay too relaxed.
With Bouncer, Google is recognizing this issue without making things difficult on developers. Devs will still be able to submit an app and see it in search results within minutes — Bouncer’s scanning process only takes seconds — and they’ll still be able to register for $25 and a few clicks on “Accept.”
But… now that Bouncer is in place, previous offenders will have a much more difficult time sneaking back on to the platform by registering under a new name. According to Google’s blog post, the search giant will be “analyzing new developer accounts to help prevent malicious and repeat-offending developers from coming back.”
This is what I believe will make the biggest difference when it comes to the threat of Android malware, and I’m more than thrilled that the company is making it a priority moving forward.