Android malware better, still accessible

I have been lazily looking at the latest Android piece of malware these past few days, until a tweet written this afternoon by @cryptax:

Disagree with on raising entry fee of #android dev: organized gangs will still pay. Genuine individuals no.

It sure sounded to me that I agreed with Axelle, and not only because I plan to register as an Android developer one of these days. I checked on the proposal on the naked security blog, and it confirmed that I do disagree with them. Making developers pay for submitting and testing an application is a bad idea; this is what mobile operators and other application distributors were doing before Apple’s App Store, and it didn’t work, because it increasing artificially the cost of developing applications. The cost of vetting an application is an App Store cost, and the idea is that the revenues from the store should cover this cost. Of course, this may not be very easy for Android Market, because their revenue is lower than Apple’s store revenue, but it nevertheless remains their responsibility.

Making application development accessible to developers always makes it just as accessible to hackers and malware developers, but this remains the way to go. If you consider Java Card, it has never been really accessible (just try to get sample cards to run a Java Card application, and you’ll understand what I mean); hackers have largely stayed away from it, and so did developers: creativity on the Java Card platform is dismal, and it sure doesn’t come from independent developers.

So, what can Android Market do about these deliverables? Well, like we said before, vetting is a key element here (i.e., having Google analyze the applications carefully before to actually put them on the market). This is a part where Apple is far from transparent but potentially efficient: few people know the kind of vetting performed on iPhone applications. Of course, malware developers can test concepts, but the opacity of the process allows Apple to update it rapidly when malware is detected.

Let’s follow a few of Crypto Girl’s suggestions, on her Fortinet blog, and on IBM’s blog, to get a few more technical detail. These reads are quite interesting, because they show how the exploits have been embedded in the code. I am not an expert on Linux exploits and I may be wrong, but I have the feeling that a static analyzer could identify a few things that would trigger a security analyst’s interest.

As a lot of people mentioned in the past months, there is increasing interest for mobile malware, especially around Android and iOS, and we expect a race between the good guys and the bad guys. What worries me a bit here is that I don’t see much sign of Google engaging in the race to protect Android. Applications like DroidDream should be caught and rejected before they are released, rather than recalled after being downloaded by thousands of developers. Let’s hope for Google that they get serious before their Android Market becomes completely discredited, because Android is an open system, and competitors could show up.

No Comments

Leave a Reply

Your email is never shared.Required fields are marked *