imageThe other day we noted that 21 apps which infected 50,000 Android devices were pulled from the market and we’ve since learned that the problem is bigger, impacting over 250k phones and 58 apps. Google has released a statement about this and they don’t come off as overly cautious. They note that they “believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).” Of course, they also state that other data could be accessible and they are patching the security exploit and utilizing a remote kill feature to remove the viral software. To me, this is a bit late and a bit too little.

First off, this was a known security flaw and Google patched it in Android 2.2.2, but no patch was required for older devices so it remains. had they, of course this would have been avoided. Secondly, removing these apps may not remove the virus. It’s known that the virus has the ability to seek additional downloads so in theory it could have downloaded, secretly, another app that works with the malicious app in question and which would be harder to detect and not removed by the kill switch. Also, this all speaks to Google’s actual protection of their market, which is to say it’s virtually none. These apps were found by a third party who detected the virus and reported it to Google.  Had it not been for them, these apps would still be floating around. And interestingly, some of the apps they were packaged in were former paid apps, ripped off and repackaged illegally with the malicious code added, yet still available in the Market like a legitimate app. There’s almost nothing less Google could be doing here. The approach they currently are taking lets attackers spread malware and once detected Google springs into action to remove those apps. Of course, that’s after your data is transmitted. The logical thing to do is carry out scanning on software before letting it enter the market, but of course then Google would put a limitation on their ‘openness’ and they seem to be in favor of letting malicious code circulate before they add any limitation to developer marketplace access, even if slight. So in weighing protection of the end user compared to access to the markets, a slight review period of an app is apparently viewed as too much of a restriction in order to get the benefit of protecting all users. I don’t see how they could balance it and end up with where things stand.

And to be clear, this may ultimately be a pretty minor virus scare but it doesn’t appear to be a wakeup call and that’s the point. The market remains open for these types of vulnerabilities so long as Google’s sole solution to protecting consumers is a kill switch to try to undo the harm, but obviously that doesn’t retrieve any sensitive data that you may have transmitted from your phone first. It’s time to wake up.

10 COMMENTS

  1. 1. Google does not consider it evil to secretly gather user information.
    2. Google wouldn’t have removed the rogue apps from the market if the third party hadn’t detected them.
    3. Google scans only those attacks… I mean ‘apps’…. that originate in China.
    4. Google remote loaded a honeypot app of its own in all Android devices but failed to find any evidence that Bing was copying them.
    5. Android is a driverless car.
    6. Google has been licensed by GOD (Google’s Own Dogma) to use humans as guinea pigs and Android users even pay to be treated as one.

    P.S. – There is no fun in Google bashing without Doug Simmons around. Where is he?

  2. @DavidK. If you’re writing an Android article, I’ll bet my 1st born you are slamming them against the wall. Stick with your Windows (I must pay for everything) Phone 7 articles. It is so oblivious what your true intentions are. I love your articles about NEW WP7 apps that have been on Androids for months and sometimes years. Those articles seem to satisfy the limits of WP7 users.
    Nothing is all good and when someone weighs the good with the bad, WP7 still sucks. Like most good things a company does, Google will eventually fix this but WP7 will still have a very small % of the market.
    I can truly say, I get better use from my Android phone and apps then I ever got from a Microsoft phone. In the past when I used a Windows phone, Google came to the rescue with apps that made it better. Most Google bashers are usually hypocrites as very few people don’t use their products.

  3. @RowdyC: interesting response a la Simmons. Ignore the underlying problem with Android, change the subject and instead attack things that have nothing to do with the article itself.
    Try to read the article – you can even read the underlying links. Be as happy as you want with your Android phone and if you want to go down the path you seem to be appreciative of, be blind to its flaws. Let Google turn a blind eye with you and when it’s your data that’s breached blame the hacker, not yourself or Google. That’s how Android rolls.
    I give plenty of shit to MS for their failures as well and this article has nothing to do with which OS is better. If you choose to only praise any platform then you’ve turned fanboy and lose credibility. Choose your path, but the folks that sing praises of their OS and ignore its flaws used to be iPhone sheep…I guess Android is stepping up to replace them in all their glory.

  4. Simmons is my phone tech leader, so DK I will take your words as a comment. (Oh boy, what a unstable ledge to be on)
    I wouldn’t consider myself a fanboy (not as of yet) more of an opportunist that takes advantage of the best products of the times and in my opinion, Android is in that category. I just feel Google will correct this issue in due time and sooner than later, this security flaw will become null and void.
    There are good and bad things with being open source just with being closed like Apple and MS phones. When I way the pros and cons with open or close source products I will definetly go with open any day of the week (and twice on Sunday).
    I just want to use MY phone the way I want to use it and if I have to scan apps myself before and after installation, I will consider that a very small price to pay not to be a Microsoft, Apple, RIM or whoever’s lab rat.

  5. @Hotmail Alias
    Yes, I totally second that. I don’t see why some people don’t realize themselves as fanbois while pointing fingers at others, also BTW I don’t see any fanboy kind of rants in the original article. If you want to see real fanboi articles go and read SJVN articles on ZDNET who constantly apologizes for Linux and at the same time exploit even a small issue about Microsoft and Apple in the same article even if there is nothing in that regards, or read AKH’s Hardware 2.0 and you will see a true Apple pie there.

  6. Lab Rat??!! Do you realise that you signed up to be a lab rat of Google the day you bought into the unfinished Android platform and still continue to be one?
    Just sayin’….

Comments are closed.