Although it hasn’t made a huge dent in the tablet market yet — or perhaps we should call it the iPad market — Google’s Android operating system has been the top-selling smartphone platform for a while. That also means it’s a top target for scammers and malware developers eager to steal data and money from unsuspecting Android users. Last year brought some dire statistics, with security firms like McAfee and Lookout claiming sharp rises in Android malware, and even that three in ten Android devices will run into malware. Juniper Network famously reported a 472 percent increase in Android malware between July and November 2011, and Google has been pulling malicious apps from the Android Market (now Google Play) and just rolled out Bouncer, a new tool that attempts to automatically screen out bad apps before they hit the market. Still, new threats seem to arrive regularly, whether they’re malicious apps that record phone calls or pose as banking apps to grab credentials and potentially instal more software.
What sorts of potential threats do Android users face, and is paranoia really necessary? Ultimately, how can Android users protect themselves — and all the data that flows through their devices?
Why does Android have malware?
The simplest reason Android has more malware than competing mobile platforms is that it’s the bigger target. The vast majority of malware targeting traditional computers aims at Windows because, historically, Windows has had the largest marketshare. Although Android has only become the leading smartphone platform comparatively recently, that emergence coincided neatly with massive consumer interest in smartphones. Thus, Android is the biggest target. However, there are also aspects of the Android ecosystem that may make it — and Android users — more vulnerable.
Is open source a problem? — Android has been criticized in some circles as an inherently insecure platform because significant portions are built on open-source technologies like Linux and WebKit. Some critics would argue that because Google offers the full Android source code to anyone who wants to look through it and pick out flaws, the platform is inherently less secure than platforms (like BlackBerry, Windows Phone, and Apple’s iOS) that hold their source code (or significant portions of it) as a closely guarded secret.
Although there’s little denying Android has seen more of a malware issue than competing mobile platforms — Apple iOS and RIM’s BlackBerry have been relatively unscathed, and it may still be too early to say for Windows Phone 7 — the presence of malware for Android seems to have a great deal more to do with the Android ecosystem than the technologies on which it’s been built. If one wants to attack Android’s security because it uses open-source technology, one also has to make the same attack against Linux (which has never had a significant malware problem) and iOS (which is based on BSD Unix and uses the same WebKit browsing technology). And the technology has taken a few hits in recent months. OpenSSL is widely deployed on almost every platform on the planet — and it’s open source. The same applies to a wide number of utilities and libraries used on most (if not all) mobile platforms. No software is perfect, but open-source efforts with sufficient developer interest have consistently proven they can sustain high quality levels over the long term.
Or maybe the open market? — Rather than deriving from the provenance of its code, Android’s malware situation seems to derive from Google’s app ecosystem. Where Apple, RIM and Microsoft have offered curated app market experiences, Google Play has been almost a free-for-all: essentially anyone can contribute an application and have it distributed on a market that’s available to the vast majority of Android devices. And Google Play isn’t even the sole source to get apps. Google essentially lets anyone set up their own markets for Android apps: Amazon’s App Store is probably the best-known, but there are a myriad of other app stores out there. International markets are especially hot for non-Google app stores, where being able to offer an Android app store in a local language — perhaps with apps specific to a particular country or region — can be an appealing proposition. Some of these alternative markets are run by mobile operators; others are less clear.
What about device makers and carriers? — If a security issue turns up in Android, Google is responsible for developing and releasing a fix. However, at that point it is up to device makers and carriers to get the update out to their customers. In many cases, carriers have been notoriously slow to get Android updates to their customers. Case in point: the DroidDream malware that assaulted the Android Market about a year ago. Google discovered the vulnerability that led to DroidDream all the way back in August 2010, and developed a patch for it very quickly. However, more than half a year later, most Android handsets still didn’t have the patch, and DroidDream was able to continue exploiting a known flaw. As many as 250,000 Android users may have been impacted. Contrast this situation with a deployment model like Apple’s, where the company can push updates to device owners without having to involve carriers.
What about ad networks? — The anything-goes nature of the Android Market coupled with Google’s insistence that purchases go through Google Checkout has created a situation where a a large number of Android applications generate their revenue solely through ads, rather than by being purchased directly by users. Building free, ad-supported apps lets developers sidestep the headaches of Google Checkout (which isn’t available in many markets, and has complicated tax implications — unlike Apple, Google doesn’t handle any of that for developers). Building ad networks into mobile apps is so regular in the Android ecosystem that many apps even support multiple ad networks. And, of course, these advertising providers want to know everything about Android users: email address, contact information, unique identifiers, and sometimes even location.
Even if an Android developer has good intentions, it may not have the time or capability to vet ad networks — particularly if there’s a language barrier involved. Remember, lots of ambitious app developers are just one or two people with an idea and some time on their hands. They may just drop in support for whatever ad network promises them the highest return, without much regard for the safety of their users’ data, what those networks do with those data — or, potentially, the security of the ad network’s software. If a major security flaw turns up in a library supplied by an advertising network, hundreds or thousands of apps could suddenly be vulnerable to exploit. And let’s not forget the the idea that scammers might set up their own ad networks and build the back doors themselves.
Types of threats
It’s important to note that the Android platform doesn’t have traditional viruses — malicious programs that spread between devices. An Android virus isn’t impossible, but it’s certainly not likely. Instead, malware creators have focused on other types of exploits, most of which involve tricking Android users into doing something they shouldn’t.
Malware apps — The most common Android malware is an app that claims to do one thing but does another — often behind a user’s back or without their knowledge. These are often classic Trojan horses: Many take the form of knockoff or free versions of paid games; others play on hot products or entertainment trends. The idea is to lure users into downloading a free or heavily discounted game, get them to launch it, and clandestinely install malware behind their back. That malware might try to grab passwords and keystrokes; it might forward email, messages, and address books on to cybercriminals, it might be used to take over a Google accounts. Anything’s possible — but the makers have to fool people into downloading and running the app. That’s often easier if there’s a language barrier involved.
Drive-by exploits — Drive-by-downloads are a bit nastier. The idea is to lure Android users to visit a website containing code that exploits a known weakness in a browser. Once users visit the site, the malware gets installed. Depending on the exact mechanism, the malware may deliberately crash the device in order to get users to restart it — executing a nasty payload. Drive-by techniques aren’t exclusive to Android — iOS jailbreaks have famously used drive-by techniques — but they’re becoming more common in the Android world.
Drive-by exploits often use social engineering or phishing techniques to usher users toward infected sites. For instance, you might get an SMS message that looks like it’s from a carrier or service provider, urging you to download an urgent update.
The bottom line is that any time you install an app or visit a website, there is a chance not all is as it appears to be.
How to stay safe
Yes, Android’s malware situation is complicated — and it’s not going to be getting simpler any time soon. Nonetheless, there are some simple things you can do that greatly reduce the chances you’ll have any problems.
Only use trusted app stores — First and foremost: Don’t just download any app from any source you happen to encounter. Go to your Android device’s Applications Settings menu and disable the “unknown sources” option for installing apps. This will prevent your device from installing apps via email, the Web, or any source besides Google Play. Unfortunately, it also disables potentially legitimate sources like the Amazon App Store, and carrier-specific stores. If this matters to you, enable “unknown sources” only when specifically shopping at those trusted markets.
Check out the app and the publisher — Before downloading a new app, check out the reputation of both the app and the publisher. This means looking further than reviews posted in whatever marketplace you’re using — unscrupulous publishers are notorious for writing their own five-star reviews. Look for reviews from independent sources.
Don’t install APKs — Do not install APKs (Android application package files) directly, say from an SD card or a USB device. Unless you’re a skilled Android developer (with tools), there’s almost no way to determine what an APK will do until you’ve already run it — at which point, there’s usually no going back. There’s some misperception that since all Android APKs have to be digitally signed by their developers, they’re safe. That’s misleading: While all APKs must be signed, it’s just to verify the files haven’t been damaged or corrupted since the developer built them. A signature in no way confirms an app is not malicious, and there’s no requirement signatures be verified by a third party. In fact, it’s pretty much standard practice for developers to self-sign their own applications.
Always check permissions — Whenever you download or update an app, Android will present a list of permissions it requires to run. Don’t just power your way through the list in your rush to the app: See if it makes sense. Does a wallpaper app really need to know your location? Does an app that lets you keep track of baseball player stats really need access to your address book? Probably not. If apps ask for inappropriate things, they may be up to no good — or be supported by an advertising network that wants to know everything about you.
And, above all, don’t panic. Malware isn’t a tremendous issue for Android yet, but the edges of the ecosystem are starting to get pretty sketchy. Well-informed users who understand how the Android world works should be in little danger, but the less you understand the technology and the ecosystem, the more likely they are to inadvertently get into trouble.