Google's Android Market web store opens new malware threat

Google Android logoSecurity researchers at Sophos are urging Google to remove automatic over-the-air installation of apps as a feature from its new web store, noting that it makes the silent addition of malware and spyware to Android users' devices far too easy.

Google announced its new web-based Android Market last week at its Android 3.0 Honeycomb introduction, as part of an effort to kickstart slow Android app sales, something the company said it was "not happy" about.

However, just days later security firm Sophos has issued a warning that says Google's implementation of app sales via its website is flawed because there is no acceptance step by users on their phone.

Unlike Apple's iTunes Preview website, which allows users to browse for apps on the web but then directs them to iTunes to securely complete their purchase, Google's new web-based Android Market allows users to select and buy apps directly on the web site and then have the apps remotely installed on their device, something that is touted as a unique feature.

What if somebody else installs an app on your account?

Purchased apps are then streamed directly to the user's handset and automatically installed. The problem, researchers say, is that there is no approval mechanism that would indicate to a user that apps are being installed. Therefore, if a third party were able to access a user's account information, they could easily install apps on the user's phone without that person being aware this was even happening.

Additionally, apps on Android have far broader access to features on the phone; Google leaves the security ramifications related to apps up to the user when the app is being purchased. For example, an app that wants the ability to read all data on the phone, send fee-based SMS messages, and track the user's location must note these requests in Android Market, leaving it up to the user to decide if those requests are justified or reasonable.

However, because the new web store makes it easy for a malicious third party to bypass these choices and simply install apps behind the users' back, Android users must now be extra vigilant to monitor what apps are installed on their phone, because there is no curation by Google and no installation approval on the device itself.

In contrast, iOS apps must first pass Apple's review process and then the user must manually download the apps through iTunes or directly from their iPhone via the App Store app; Apple never beams apps directly to users' devices for unattended, quiet install.

Fishing for Passwords

Android's new security problem requires users' passwords to be intercepted by a malicious third party. Apple's iTunes users have already been regularly targeted by multiple attempts to either guess, crack or simply "phish" their passwords by malicious users seeking to obtain access to their accounts.

The difference is that with iTunes account information, all a malicious user can really do is make unauthorized purchases. This has created a booming market for stolen iTunes account credentials, inducing Apple to take steps to require users to select harder to guess passwords and to verify their credit card information on new devices the first time they are set up. This has greatly reduced the value of stolen iTunes accounts, as it prevents thieves from making purchases using new devices unless they have the accounts' full credit card information.

In contrast, with a stolen Android Market account, malicious parties can not only make purchases, but also set up targeted, powerful malware that is "sold" to the user without their knowing and silently installed on their device wirelessly with no notification. These apps can then track the user, access their calling information, collect all kinds of sensitive information on their phone, and then upload it to foreign servers before the user is even aware that a new app was installed.

"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Sophos' Vanja Svajcer wrote. "The phishers' intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user's Android devices instead."

Oops I did it again

"Google should make changes to the remote installation mechanism as soon as possible," Svajcer warned. "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed."

Until Google takes notice of the problem, Svajcer recommended that Android users choose a strong password. The millions of new Android users will also want to make sure they don't fall for phishing scams the way millions of iTunes users have. Rather than facing refundable unauthorized purchases, they could find their personal smartphone loaded up with malware, recreating the security meltdown similar to the one Microsoft faced with Windows XP.

Source: AppleInsider

Tags: Android, Google

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)