Android’s definition of malware

Android is starting a security review, so there have been some communication about security. Among this communication, there is a Security FAQ, which includes a list of characteristics of malware. Here are a few comments on this list (the items are not in the original order).

First, we have the obvious items. Any application doing any of these things obviously is malware, for Google, and for about anybody else:

  • discloses the user’s private information to a third party, without the user’s knowledge and consent;
  • destroys the user’s data (or the device itself) without the user’s knowledge and consent;
  • attempts to automatically spread itself to other devices;

Note the subtle distinction between an action that is performed automatically and an action that is performed without the user’s knowledge and consent. You can recommend an application to your friends, but your recommendation should not include the application itself.

The next one is just as obvious:

  • impersonates the user (such as by sending email or buying things from a web store) without the user’s knowledge and consent;

This definition of impersonation is very Internet-oriented. However, since there is no rule about “performing actions that incur a cost to the end user” such as calling a premium number or sending a SMS, I would say that this has to fall into this rule. If you combine that with the permission model that only provides “blanket” permissions at installation time, there is room for a lot of abuse here, or at least for spurious wording from applications that send premium SMS messages.

Next, we have an issue that is specific to mobile devices:

  • drains the device’s battery very quickly;

This one shows how thin the boundary is between buggy software and malware. I am sure that a few games will be labeled as malware on this rule, just because they try a bit too hard to be reactive or to otherwise enhance the user experience.

Another category rules out some irritating behavior from Android applications:

  • shows the user unsolicited messages (especially messages urging the user to buy something);
  • resists (or attempts to resist) the user’s effort to uninstall it;
  • hides its files and/or processes;

The first one is quite surprising from a company that lives on advertising, as it somehow rules out any application that performs heavy-handed advertising. Shareware may also be difficult there. The second rule seems to be targeted against Symantec and other security software, and the last one is interesting in many cases.

The last item is the typical catch-all sentence. In that particular case, it goes quite far in being overly broad:

  • otherwise degrades the user’s experience with the device.

Now, what is missing? Not much, in fact, because the definitions are very general. I would like to see an explicit mention of “incurring cost”, as well as about attempts to perform unauthorized operations. We would also need the definition of “private information”; for instance, the status of location information may need some clarification. But still, it is interesting to get that definition of malware.

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *