Google takes additional steps after Android security incident.
Google has taken additional measures to protect consumers in the wake of the security incident last week involving more then 50 malicious Android applications. While Google’s response is an expected and positive move, it comes with some criticisms and suggestions.
Last week, The Tech Herald reported on news that Google had removed more than 50 applications, as well as their corresponding developer accounts, from the Android Market after the pirated apps were discovered to be completely malicious.
Mobile security vendor Lookout dubbed the discovered Malware DroidDream. According to Lookout’s research, the Malware itself could compromise a significant amount of personal data. Early on in the story’s development, the Android news portal, Android Police, reported that the Malware would swipe the product ID, model, language, country, and userID. Moreover, they added that it had the ability to download further code, thanks to a backdoor that is created.
As word of Lookout’s public research and alerts spread, several security vendors released protection updates to their mobile security offerings. At this point, if a malicious application containing DroidDream was downloaded, either Google or the other security vendors have taken steps to remove the threat.
On Saturday, Google said that once they were made aware of the situation, in addition to their previous actions regarding the apps and the developer accounts, they also contacted law enforcement and initiated the remote removal protections within the Android platform.
Google has long had the ability to remove applications from an Android device by remote command. In the past, when Google has used this ability, it has been for cases such as these, where malicious applications are disabled and uninstalled without user interaction. The problem is, no matter their mobile carrier, some Android users are a bit jumpy about this ability.
In addition to the remote wipe, Google also deployed an Android Market security patch to affected devices that removes the vulnerabilities targeted by DroidDream.
“If your device has been affected, you will receive an email from firstname.lastname@example.org over the next 72 hours. You will also receive a notification on your device that “Android Market Security Tool March 2011” has been installed. You may also receive notification(s) on your device that an application has been removed. You are not required to take any action from there; the update will automatically undo the exploit. Within 24 hours of the exploit being undone, you will receive a second email,” Google explained.
This is where the questions and criticisms come in. In their blog post, Google noted that as soon as they were made aware of the situation, they acted. Critics claim that Google should have been more proactive in their security, instead of waiting for someone to report a problem.
This has long been a challenge for Google, who has tried to weigh openness with security. One of the things that separates Google’s market platform from Apple’s, is Apple’s strict development and submission guidelines Google doesn’t have them. This openness allows anyone to create and contribute to the Android community, but it also allows malicious applications to appear more frequently.
One commenter on the Google post proposed an interesting suggestion, but it would take a massive amount of community effort and support.
“Is there anywhere Google can show a list of all applications that are free submitted to the platform? We developers can download them and check each one. I really do not want to see the Android Market becoming the App Store,” asked a commenter by the name of Mr. Le President.
Another issue raised centers on fragmentation. Google fixed the issues exploited by DroidDream in an update, which placed the Android operating system at version 2.2.2. Yet, plenty of other devices are running on previous versions. While Google has deployed the update for those phones affected by DroidDream, devices vulnerable, but not impacted by the Malware, will remain untouched.
Addressing the issue, another comment suggested that Google, “…take complete control over updates being pushed to phones, or force manufacturers and carriers to get them out within am[sic] reasonable time frame. You cannot let the fragmentation [occurring] continue.”
The “Android Market Security Tool March 2011” is available to anyone who wants to download and install it. However, as the app’s description says, there isn’t a need to install it on your own.
Our advice is to skip the security package download and go to your Android device’s settings menu. Under the About section, check the software update link for new OS versions.
We say this because manually installing the security application deployed by Google could have unintended consequences to older OS versions, so install it with some caution.
Also, if you install the security update and it is not needed, you will likely get a message similar to the one below from Google. We were emailed this about 10 minutes after we downloaded and installed the security update on one of our Droid devices.
“This is confirmation that “Android Market Security Tool March 2011” has been successfully run on your device. This means that the malware recently suspended from Android Market is not on your device and the unauthorized access created by this malware is not present.”
So it would appear that aside from potential issues for manually installing a patch that is leveled at automatic deployment, it may be a wasted effort.