According to the latest post on Google’s Mobile Blog by Hiroshi Lockheimer, VP of Engineering on Android, Google will provide automated scanning of Android Market for potentially malicious software.
The new service, codenamed Bouncer, will perform a set of analyses on new applications, applications already in Android Market, and developer accounts. Once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect red flags. Bouncer will actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. It will also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.
As a security company, we welcome this step toward better security in the Android Market. While admitting that mobile malware is a problem will definitely raise awareness among users though, we strongly believe the phenomenon will not stop here. According to statistics provided by Bitdefender Mobile Security, we saw a serious increase in malware families in 2011. While in 2010 we had just 3-4 malware strains, in 2011 we discovered more than 100 malware families - a 4500% increase which generated close to 10 000 malicious applications.
Significantly, there are several other websites from where Android users can install applications. In fact, most malicious applications we discovered were actually hosted on third-party markets and not directly on Google’s Market.
Malware writers usually use the following three steps:
1. Download legit applications from Google’s Android Market
2. Embed the malicious code
3. Upload the freshly created malicious app to a different App Store
Securing the Android Market is definitely a good idea, but it doesn’t eliminate the need for a security solution installed directly on the device, as people want choices and will definitely install applications from other third party markets as well. According to our stats, only 0.5% of these malicious apps were found on Google’s Android Market.
Also, based on our experience with malware analysis, malware writers will seek a way around security. For instance, in the PC malware world, we use virtual machines to analyse behavior of different samples we discover. Obviously, in time, malware writers added different routines to detect if the virus runs in a real computer or in a virtual environment, and they modified their software to act legit when running in a control environment. We might see the same phenomenon here, as Bouncer is a service that will emulate all apps uploaded on the Android Market. Not to mention that the Android API offers the possibility to detect if the app runs in an emulator or directly on the devices. So there is a high chance that we’ll see apps behaving correctly when used on a simulator and turning malicious when used on the mobile device.
We congratulate Google for taking security one step further, but there is much more to be done in order to keep users safe.