There is no better publicity for a security company than a good scare. Apparently, some guys at Smobile are taking publicity seriously. They have published a report entitled Threat Analysis of the Android Market, which got them some news coverage. The report includes some pretty scary statements, like:
3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user’s interaction or authorization.
Premium messages, without the user’s authorization. That’s actually true, but not really scary about the applications. This corresponds to the number of applications that request the
SEND_SMS privilege (1356 out of 48694). That’s the way Android works: once you have allowed an application to send SMS’s, the application can send any SMS, including premium ones, and this happens without any further user interaction. Abuse attempts are likely, but Google is likely to turn on the kill switch before the bad guy can make any real money.
Similarly, the guys at Smobile have identified real spyware, which actually fowards to another phone all the SMS’s sent and received from a given phone. This application actually describes itself as spyware (search for “spy” on Market, and you’ll find several). All the permissions is needs to do that are
INTERNET. I am sure that you can do a few things using these permissions. When roaming, I could use a messaging application that uses Internet when available and reverts back to SMS when nothing else is available.
Enough of that. I think that Smobile is pointing at a real issue: once you authorize an Android application to do something (like sending SMS’s or recording audio), it can do it freely until uninstalled. Eventually, a smarter than average hacker will design a good Trojan horse and make some money.
The problem with these reports is that they mislead many people into believing that Android is full of malware. Of course, the reality is that the Android Market is full of apps that could be malware. They just aren’t.
I am a strong supporter of static code analysis, and I think that Android applications definitely are a good target for static analysis. However, the analysis must be much deeper that looking at the permissions requested by the application. For instance, identifying the numbers to which a SMS is sent is much more discriminating. If an application sends messages to a premium number without warning users, it is much closer to qualify as malware. Let’s get that working, and I am sure that we will learn interesting things.