The days of Android Market anarchy may be coming to an end.
On Thursday, Google announced a new functionality in the application market for its mobile operating system that automatically scans new apps for known malware. The program, which the company is calling ”Bouncer,” also continues to run periodic simulations on existing apps to test them for malicious behaviors like data theft or paid texting scams.
“If it’s a repackaging of known malware, we’ll flag it,” says Android vice president of engineering Hiroshi Lockheimer. “We also run apps on the server side in a simulated device environment, to monitor what it’s doing. If we see anything fishy, it gets flagged for manual review.”
Since Android launched, Google has had the ability to remotely delete deceptive apps from users’ phones, even without the users’ participation or permission. It’s also implemented some security features on the phone itself, like sandboxing and permissions that limit untrusted apps’ access to the device.
But Google’s mobile security has nonetheless been mostly reactive, as in the case of Droid Dream, a collection of malicious apps that made their way into the Android Market, infected as many as 120,000 users, and had to be subsequently nuked with Google’s remote kill switch.
Now Google aims to take a more preventative approach, even screening developers and weeding out those known to be malware writers, according to Lockheimer. “If someone’s a known bad actor, we’ll try to filter them out in the first place,” he says.
Google’s precautions still don’t come close to Apple‘s strict security measures for the iPhone and its App Store. Google still isn’t subjecting developers to a lengthy approval period, as Apple does, only a real-time scan when their app is uploaded to the market.
And just as significantly, Android continues to allow apps to download and execute new code. As security researcher Jon Oberheide has demonstrated with decoy apps posing as Twilight movie photos and Angry Birds sequels, that capability could allow a tricky malware developer to upload an innocent-looking app to the Android Market and then use it to download malicious capabilities and run them on the phone. Because Google’s new security measures only scan the Android Market and not the device itself, that kind of scheme likely wouldn’t be caught.
Nonetheless, Google says that Android malware has been on the decline even prior to these new security measures. It claims that between the first and second half of 2011, it saw a 40% decrease in “potentially-malicious” app downloads.
That’s a very different sort of figure from those tossed around in the security industry: Juniper Networks, for instance, recently stated that it saw a 472% increase in Android malware variants between July and November 2011. But Google’s Lockheimer says that Google is focusing on preventing malicious downloads from its Android Market, not preventing bad apps from multiplying or proliferating outside its sanctioned Market. “The most important thing is when users are actually affected,” he says. “And that’s been in significant decline over the last year.”
Regardless, Google’s announcement will be a wake-up call to antivirus vendors who have staked much of their future on mobile devices, and particularly Lookout, which currently leads the mobile antivirus industry with more than 12 million downloads. Lockheimer, for instance, doesn’t run any antivirus on his Android phone, and doesn’t recommend that users do either.
“I personally don’t run it, and I feel comfortable that my mother and my wife don’t’ run it either, because I know how we designed it and what we’ve put in place,” he says. “People can be confident in using Android. The service we’re announcing today is almost just an insurance policy to make sure that continues to be the case.”
View full post on National Cyber Security » Virus/Malware/Worms