Malware disguised as popular game apps were discovered in the Android Market yesterday by Google's security team. Despite being removed earlier today by Google, over 10,000 downloads of the malicious apps had already been performed by unwitting Android users.
About a dozen free mobile versions of apps, such as Angry Birds and Assassin's Creed, were published to the market yesterday morning by developer Logastrod. The author published the apps after including code to the games that would allow SMS messages to be sent to premium line numbers. Vanja Svajcer, of the blog Sophos, detailed the damage unaware downloaders can suffer after installing such apps:
Misusing premium SMS services is the most common model for malicious mobile malware. When a malicious app is installed, it starts sending or receiving messages, which makes the installation very expensive for the user. The damage is often seen only when it is too late, once a monthly bill is received.
Svajcer goes on to criticize Google for having regulations that are too relaxed and permit developers to easily sneak their malicious apps into the Android Market. The benefits of successfully publishing an app to the Market and therefore making money from it outweigh the consequences of being banned by Google from contributing any more apps to the Market. "The attacks on Android Market," he adds, "will continue as long as the developer requirements stay too relaxed.
Google has implemented security screens that require the user's acknowledgement that the apps were able to edit, read, and receive text and multimedia messages before the download of the app can be completed, but such a policy appears to not protect the users enough. Obviously, users are likely to breeze past such warnings and it's not entirely surprising, either, given the wide popularity and reputation of games like Angry Birds. When everybody and their brother has probably downloaded Angry Birds at some point, who would seriously worry that the app they think they're downloading is not an offering from a reputable developer. Other criticism directed at Google's failure to protect its users suggest that Google should improve the way in which they educate users to protect themselves more effectively. As it stands, Google leaves its Android users in the lurch because their "caveat emptor approach means it's up to users to make sure they don't get swindled while shopping in the company's official apps bazaar.
That they don't have a stricter policy for app publishing is a disrespectful gesture towards their customers who clearly are not tech-savvy enough to be suspicious of every download. Worse than simply taking a knee on the issue, Google seems to have excused themselves with the equivalent of an Alfred P. Neuman security policy that simply shrugs, "What, me worry?"
What do you think? Should Google be doing more to keep their Android Market free of malware, or does the responsibility fall to the Android Users. Let us know below in the comments.