February 2, 2012

Android Market's Malware Scanner

Google doesn't like to manually review user-generated content. It's not efficient and algorithms can do a better job. Imagine how many people would need to be hired to watch all the videos submitted to YouTube (60 hours of videos uploaded every minute).

In some ways, uploading an application to the Android Market is just like uploading a video to YouTube. Sure, you need to pay a fee, but you don't have to wait until a Google employee checks the application. Unfortunately, this also means that the application can include malware, deceive users, crash or spam your contacts. Google usually reviewed the app only after enough users reported that the app is malicious.

Now there's a new service called Bouncer "which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process. The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here's how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior".

That seems like a great idea: Google actually tests the apps without having to wait until other users install them and notice there's something wrong. The bad news is that this service was tested last year and was used to find potentially-malicious apps. Despite that, the apps infected by DroidDream were found by a security vendor and not by Google.

"The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise," says Google. Another explanation could be that Google's service is not good enough.

Google also says that Android "makes malware less potent" because it uses sandboxing, it displays the list of permissions and Android Market can remotely remove malware. I don't think that most of the users read the list of permissions. They simply ignore them, click "OK" and install the application. Maybe it would be a better idea to require users to explicitly enable sensitive permissions when they're using the apps.

While security vendors try to scare Android users and push their products, Google should focus on removing spam and malware from the Android Market and make it a safer place. Improving Android's security model and finding ways to install security updates faster are also important.

7 comments:

  1. The fact that Bouncer missed stuff this last year doesn't surprise me - they are new to this. On the other hand, it is important that they get good at it quick - I'm rather surprised they didn't start this effort earlier.

    You point out that user's don't look at permissions, and I think Google is responsible for that - they don't seem to make much effort to highlight the important permissions and minimize the amount that apps need those permissions. I think user's would pay more attention to permissions if it were done right.

    Also, you make a good point about Android needing a way for security updates to be applied quickly.

    Today's announcement is an important step forward for Android security, but there is more to be done.

    ReplyDelete
  2. Maybe Google should encourage the reduction in the number of permissions apps ask for, as it does seem to spread. Maybe they could charge slightly more for apps which require more permissions?

    ReplyDelete
  3. They should be escrowing a bit more money in case the app is determined (by users or their scanner) to be malicious. Give it to a charity or something.

    ReplyDelete
  4. I just hope someday google will create a free android mobile security.

    ReplyDelete
  5. "Maybe it would be a better idea to require users to explicitly enable sensitive permissions when they're using the apps." That sounds a lot like what MS did with Vista's UAC and we all know how that worked out. Also how do you decide what is sensitive? A keylogger and a legitimate keyboard app probably need similar permissions. Probably the approach automatically scanning apps and reviewing ones flagged by users is the best, but they need to improve the automated scanning.

    ReplyDelete
  6. At last,google is focusing on removing spam from the Android Market.Hpe this continue.

    ReplyDelete
  7. Good job Google team. Spammers beware google is running after you. @ topic can google make an auto sandbox of potential malware program on kaspersky co'z its so annoying when pop up window always appear.

    ReplyDelete

Note: Only a member of this blog may post a comment.