Google's Android Market web store opens new malware threat
Security researchers at Sophos are urging Google to remove automatic over-the-air installation of apps as a feature from its new web store, noting that it makes the silent addition of malware and spyware to Android users' devices far too easy.
Google announced its new web-based Android Market last week at its Android 3.0 Honeycomb introduction, as part of an effort to kickstart slow Android app sales, something the company said it was "not happy" about.
However, just days later security firm Sophos has issued a warning that says Google's implementation of app sales via its website is flawed because there is no acceptance step by users on their phone.
Unlike Apple's iTunes Preview website, which allows users to browse for apps on the web but then directs them to iTunes to securely complete their purchase, Google's new web-based Android Market allows users to select and buy apps directly on the web site and then have the apps remotely installed on their device, something that is touted as a unique feature.
What if somebody else installs an app on your account?
Purchased apps are then streamed directly to the user's handset and automatically installed. The problem, researchers say, is that there is no approval mechanism that would indicate to a user that apps are being installed. Therefore, if a third party were able to access a user's account information, they could easily install apps on the user's phone without that person being aware this was even happening.
Additionally, apps on Android have far broader access to features on the phone; Google leaves the security ramifications related to apps up to the user when the app is being purchased. For example, an app that wants the ability to read all data on the phone, send fee-based SMS messages, and track the user's location must note these requests in Android Market, leaving it up to the user to decide if those requests are justified or reasonable.
However, because the new web store makes it easy for a malicious third party to bypass these choices and simply install apps behind the users' back, Android users must now be extra vigilant to monitor what apps are installed on their phone, because there is no curation by Google and no installation approval on the device itself.
In contrast, iOS apps must first pass Apple's review process and then the user must manually download the apps through iTunes or directly from their iPhone via the App Store app; Apple never beams apps directly to users' devices for unattended, quiet install.
Fishing for Passwords
Android's new security problem requires users' passwords to be intercepted by a malicious third party. Apple's iTunes users have already been regularly targeted by multiple attempts to either guess, crack or simply "phish" their passwords by malicious users seeking to obtain access to their accounts.
The difference is that with iTunes account information, all a malicious user can really do is make unauthorized purchases. This has created a booming market for stolen iTunes account credentials, inducing Apple to take steps to require users to select harder to guess passwords and to verify their credit card information on new devices the first time they are set up. This has greatly reduced the value of stolen iTunes accounts, as it prevents thieves from making purchases using new devices unless they have the accounts' full credit card information.
In contrast, with a stolen Android Market account, malicious parties can not only make purchases, but also set up targeted, powerful malware that is "sold" to the user without their knowing and silently installed on their device wirelessly with no notification. These apps can then track the user, access their calling information, collect all kinds of sensitive information on their phone, and then upload it to foreign servers before the user is even aware that a new app was installed.
"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."
Oops I did it again
"Google should make changes to the remote installation mechanism as soon as possible," Svajcer warned. "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
Until Google takes notice of the problem, Svajcer recommended that Android users choose a strong password. The millions of new Android users will also want to make sure they don't fall for phishing scams the way millions of iTunes users have. Rather than facing refundable unauthorized purchases, they could find their personal smartphone loaded up with malware, recreating the security meltdown similar to the one Microsoft faced with Windows XP.
Google announced its new web-based Android Market last week at its Android 3.0 Honeycomb introduction, as part of an effort to kickstart slow Android app sales, something the company said it was "not happy" about.
However, just days later security firm Sophos has issued a warning that says Google's implementation of app sales via its website is flawed because there is no acceptance step by users on their phone.
Unlike Apple's iTunes Preview website, which allows users to browse for apps on the web but then directs them to iTunes to securely complete their purchase, Google's new web-based Android Market allows users to select and buy apps directly on the web site and then have the apps remotely installed on their device, something that is touted as a unique feature.
What if somebody else installs an app on your account?
Purchased apps are then streamed directly to the user's handset and automatically installed. The problem, researchers say, is that there is no approval mechanism that would indicate to a user that apps are being installed. Therefore, if a third party were able to access a user's account information, they could easily install apps on the user's phone without that person being aware this was even happening.
Additionally, apps on Android have far broader access to features on the phone; Google leaves the security ramifications related to apps up to the user when the app is being purchased. For example, an app that wants the ability to read all data on the phone, send fee-based SMS messages, and track the user's location must note these requests in Android Market, leaving it up to the user to decide if those requests are justified or reasonable.
However, because the new web store makes it easy for a malicious third party to bypass these choices and simply install apps behind the users' back, Android users must now be extra vigilant to monitor what apps are installed on their phone, because there is no curation by Google and no installation approval on the device itself.
In contrast, iOS apps must first pass Apple's review process and then the user must manually download the apps through iTunes or directly from their iPhone via the App Store app; Apple never beams apps directly to users' devices for unattended, quiet install.
Fishing for Passwords
Android's new security problem requires users' passwords to be intercepted by a malicious third party. Apple's iTunes users have already been regularly targeted by multiple attempts to either guess, crack or simply "phish" their passwords by malicious users seeking to obtain access to their accounts.
The difference is that with iTunes account information, all a malicious user can really do is make unauthorized purchases. This has created a booming market for stolen iTunes account credentials, inducing Apple to take steps to require users to select harder to guess passwords and to verify their credit card information on new devices the first time they are set up. This has greatly reduced the value of stolen iTunes accounts, as it prevents thieves from making purchases using new devices unless they have the accounts' full credit card information.
In contrast, with a stolen Android Market account, malicious parties can not only make purchases, but also set up targeted, powerful malware that is "sold" to the user without their knowing and silently installed on their device wirelessly with no notification. These apps can then track the user, access their calling information, collect all kinds of sensitive information on their phone, and then upload it to foreign servers before the user is even aware that a new app was installed.
"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."
Oops I did it again
"Google should make changes to the remote installation mechanism as soon as possible," Svajcer warned. "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."
Until Google takes notice of the problem, Svajcer recommended that Android users choose a strong password. The millions of new Android users will also want to make sure they don't fall for phishing scams the way millions of iTunes users have. Rather than facing refundable unauthorized purchases, they could find their personal smartphone loaded up with malware, recreating the security meltdown similar to the one Microsoft faced with Windows XP.
Comments
Why don't people realise Google's model is all wrong?!
If my GMail account is compromised, the least of my worries is auto installing of Android apps.
I would suggest that Sophos actually use the web-based Android Market before criticizing it. Any app that is downloaded to an Android phone shows up in the notification bar and the user must manually clear the notification to make it go away. It's hardly an "unattended, quiet install." Then again maybe the editors at AppleInsider don't understand a properly functioning notification system, because Apple has failed in its implementation on iOS.
I used to enjoy AppleInsider, but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.
but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.
I think you then need to extend that flattery to Sophos as well.
(But then again, it is pretty much accepted wisdom that one should take security alerts from security software companies with a large pinch of salt.)
But they can't run for the first time on their own.
So if a random app appears to have been randomly installed on your phone, first of all change your Gmail password, but secondly, don't open it and uninstall it.
Problem solved.
If my GMail account is compromised, the least of my worries is auto installing of Android apps.
I agree with that (not least since I do not own any Android device ) but this is still an example that there rarely is such thing as a free lunch (ie, there is often enough just one more thing to think about with any given new feature).
Oh, another FUD and bashing post from Mr. Daniel.
If my GMail account is compromised, the least of my worries is auto installing of Android apps.
I don't see it as FUD. He's just reporting what this security researcher is reporting. This is the kind of thing people want to know. We each have our own risk aversion, if it doesn't bother you, so be it, but people want to know what's what...
AI also reports negative news about Apple. Relax.
Google must scare the bejesus out of you Apple fanboys, since you now seem to spend more time bashing Google and Android than talking about Apple products.
// snip //
I used to enjoy AppleInsider, but you've all gone round the bend with your slavish worship of all-things Apple and willingness to bash Google without even considering whether or not your arguments make sense.
Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.
Google must scare the bejesus out of you Apple fanboys,
That depends.
Which model phone? HTC, Samsung, Huawei, ZTE, etc., etc.?
Which (probably non-updated) version of Android?
So far there's a lot more confusion than fright.
Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.
You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.
And to be fair, the Apple fans need to curtail their use of "fandroid/phandroid".
Using any of these does nothing to encourage intelligent discussion.
You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.
I'd refrain from it if the posts here warranted it. I didn't use it in the past, but as the comments on here became increasingly shrill and closed-minded, it seemed appropriate. No matter. I've given tired of trying to talk sense into anyone here. It's a hopeless endeavor, since folks ignore evidence, have double standards, and, when all else fails, just make things up.
I don't know if it is related, but my stepfather recently was locked out of his gmail account because somebody gained access. Since then they have been sending spam to friends using his actual account. Moreover, he not too long after got a call from his Visa card folks asking him did he make a purchase in India for about $17, 000 for clothes. The guy is pushing ninety. He hasn't bought anything other then underwear and socks in years.
Further, the biggest annoyance with Google is its customer service really really stinks. You can't call Google on the phone. At least the company tries to make it real hard for you to do so. My step father never could get back into his account because there was nobody at Google to get on the phone and Google would only respond to him with form letters. The original Nexus One purchasers also had nobody to call for help because Google didn't have customer service people and T-Mobile said Google didn't provide it support documents. This was the same problem my step dad used to have with his Windows computer (he now happily uses a Mac). He'd call up Dell to ask about a problem. Dell would say, call Microsoft it is a Window's problem. Microsoft would say call up Dell, as it is responsible for the support. With Apple you know who to call.
Further, the benefit with Apple is there is always somebody at Apple to talk to. I once wrote Jobs an email. A day later one of his assistants called and personally addressed my issue. I had a five year old Mac that had repeated problems and technically was out of warranty. Apple paid to have the Mac fixed. I can always understand Apple's support people as well.
It's a hopeless endeavor, since folks ignore evidence, have double standards, and, when all else fails, just make things up.
Welcome to Planet Earth.
Further, the website is called "Appleinsider." That means people here are probably fans of Apple. There are plenty of sites you can find where bashing Apple and Microsoft are full time occupations.
Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.
Agreed. This site, along with others like electronista, have become full-time Android-bashing sites. It's almost as if the Apple fanboys are immature children who are upset that their device is no longer the only hot thing on the scene. Seriously, I've seen an incredible amount of ridiculous, hypocritical, contradictory pseudo-arguments on here in the past few months defending everything Apple does as perfect and everything Google and Microsoft do as horrible and yucky. It's a shame.
You know, your posts might be taken more seriously if you could refrain from your frequent use of the invective "fanboy". Just a suggestion.
And to be fair, the Apple fans need to curtail their use of "fandroid/phandroid".
Using any of these does nothing to encourage intelligent discussion.
derekmorr, if you follow his posts, is an obvious troll and/or techtard who thinks everything should be free and hates apple's success and business model. He just hangs around here waiting to pounce on insightful conversation and insight.