Friday, April 1, 2011

Android Trojan Highlights Risks of Open Markets

Android users who go outside the official Android Market must be careful which apps they install. Photo (of an HTC Droid Eris) by Jon Snyder/Wired.com

Android enthusiasts have long championed Google’s “open” philosophy towards the smartphone platform. The recent appearance of a new Trojan horse in unofficial Android app venues, however, may cause users to think twice about how open they want the platform to be.

The app in question, Android.Walkinwat, appears to be a free, pirated version of another app, “Walk and Text.” The real version is available for purchase in Google’s official Android Market for a low price ($1.54).

If you download the fake app (from unofficial markets for Android apps) and install it, it redirects you to the actual app on the Android marketplace — but in the background, it sends the following embarrassing message to your entire phonebook via SMS:

Hey,just downlaoded [sic] a pirated app off the internet, Walk and Text for Android. Im stupid and cheap, it costed only 1 buck.Dont steal like I did!

Egregious spelling and grammatical errors aside, the text message serves as a reminder of the risks to those willing to go outside of the official Market for apps.

“Someone downloaded the app, inserted their malware, and uploaded it onto other non-official marketplaces,” Symantec mobile team product manager John Engels told Wired.com in an interview.

In other words, if you go outside the official Market, things may not be what they seem, and there’s no guarantee that what you download is what you actually want.

Google maintains clear content policies on all apps that are uploaded to the official Android Market, and developers know well enough in advance what those policies are, and how not to break them. Whenever an app in clear violation of Google’s policies shows up in the Market — like, say, a piece of malware — Google’s Android engineers are often quick to quash it.

But if you’re not one for pesky rules and regulations and want to see what the non-Google-sanctioned markets have to offer, all it takes to access them on an Android device is for you to uncheck a box on a settings page, allowing your phone to install apps from “unknown sources.”

To a certain degree, this isn’t a huge issue for the novice user. Many outside applications are hosted on file sharing web sites that users like your grandmother probably aren’t frequenting. And unless they’ve tried to install these outside applications by sideloading them, they’ve probably never unchecked the unknown sources permissions box to begin with.

But last week’s debut of Amazon’s new App Store may have changed that. In order to install Amazon’s App Store on an Android device, you first must uncheck that permissions box. While there may be no immediate risks associated with downloading apps from Amazon’s App Store, it opens the door for users to allow other unofficial — and therefore riskier — apps to be installed on their devices, from other sources.

“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” security researcher Charlie Miller told Wired in a previous interview.

“The threat will persist so long as people continue to download pirated software from peer-to-peer networks,” Webroot threat research analysts Armando Orozco and Andrew Brandt told Wired.com. They say sticking to the Android Market is your safest bet, but if you’re still compelled to go outside the official box for your apps, whether it be to Amazon’s App Store or another unofficial market, you should “scrutinize the permissions the App requests, and don’t install it if it wants access to certain functions (like the ability to send SMS messages) that the app shouldn’t need to access.”

But doesn’t staying within the confines of the Android Market defeat the purpose of choosing a platform with such an “open” philosophy? If you want a stricter, closed system with stringent regulation on its apps via a review process, you might as well buy an iPhone.

“Android users enabling sideloading doesn’t necessarily lead to piracy or installation of apps from unsafe sources,” says Alicia diVittorio, a spokesperson for Lookout Mobile Security. “In fact, it’s great to have another source for consumers to download apps from a reputable brand like Amazon.” Indeed, Amazon’s Appstore isn’t a great deal different from Apple’s App Store: Both companies require an intense review and approval process before making any developer’s submitted applications available for purchase.

Essentially, there’s an inherent risk that comes with downloading apps for a device with an attitude of openness like the Android. Even the official Market is susceptible to infiltration by malware, as evidenced by the swath of malicious apps pulled from the store earlier this month. But in a relatively free and open domain such as Android’s, the risk remains the price of admission.

No comments:

Post a Comment