For a good while, Google seemed to be in denial on the subject of Android malware. Aggressively so, in the case of Chris di Bona, who announced that "...virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself." Well, let's leave aside the fact that neither Cisco's IOS nor Apple's iOS are noted for their support of 3rd-party anti-virus applications, the transient irritation of some of us who spend considerable time trying to counter security misinformation, and the fact that the purveyors of Android security software (free or for-fee) seem to have found plenty of malicious activity to try (with varying degrees of success) to counter.
Well, Google has moved on. Let's not get too hung up on the fact that Hiroshi Lockheimer's bullish assertion that
"between the first and second halves of 2011, we saw a 40% decrease in the number of potentially-malicious downloads from Android Market"
doesn't sit very well with di Bona's
"No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels."
In fact, the mainstream AV industry has managed to raise at least two reasonably hearty cheers for Google's announcement that it has taken notice of some of the many calls for an app-screening model closer to Apple's iGadget App Store: one from my ESET colleague Cameron Camp ("Google responds to Android app Market security with stronger scanning measures") and one from Sophos' Vanya Svajcer ("Is Google Bouncer going to bounce all malware from the Android Market?") Well, we're evidently a forgiving bunch, on the whole. But let's hope that no-one is thinking "job done!" Cameron remarks that:
"With an estimated 11 million apps available for Android, and a year-over-year growth rate of 250% according to Mr. Lockheimer, there’s a lot of scanning to be done."
While Vanja goes into some detail on the limitations of the approach, and continues:
"To truly protect devices, we need a local bouncer. Not one like today's anti-malware apps, with poor stamina and no weapons. Only with Google anti-malware API Android protection products will be fully armed and prepared to fight."
But, given the tension between Android and the AV industry, perhaps it's better if I point to a more neutral resource: ENISA, the European Network and Information Security Agency, has already undertaken some serious security-focused analysis of the app store delivery phenomenon using STRIDE threat modelling and Attack Trees, expanded into an excellent review of the "five lines of defence against malware" that they believe apply in this market sector. With news breaking even now on MSNBC of a further wave of "fake malware-laden apps", it's to be hoped that Google has not only seen it, but read up to and past section 5.2, and will not assume that Bouncer app review is enough...
David Harley CITP FBCS CISSP
ESET Senior Research Fellow