Android

Bad apps: Avoid them

How much simpler can it get? Upload a malicious app and wait for unsuspecting victims. It's time to complicate it for the bad guys.

It's time to stop making it easy for the bad guys to infect your smartphone. For example, from The Boston Globe article by Hiawatha Bray about Android phones being targets for hackers:

"Google recently dropped 10 smartphone apps from its online Android Market store, after Xuxian Jiang, an assistant professor of computer science at North Carolina State University, found the programs were infected with Plankton, a program that secretly collects information about a user's Web-browsing habits."

As to what to do to these miscreants, I have some ideas, but I'll save those for another time. Right now I'm more concerned about getting the word out on how to spot bad apps and keeping out of harm's way.

So, I asked three smart people for advice, and here is what they said.

William Francis: He specializes in embedded and mobile platforms, and he has more than 20 years of professional software engineering under his belt, including a four year stint in the US Army's Military Intelligence Corps. William also writes for TechRepublic's App Builder blog.

Dr. Xuxian Jiang: Assistant Professor, Department of Computer Science at North Carolina State University. Xuxian has a slew of publications about smartphone security that we will get to in later articles, and as noted in the article quote, he finds malicious apps.

Kyle Miller: A senior software engineer specializing in web/Android development. He's a self-professed "gadget freak" whose passion for mobile devices drove him to jump into the mobile industry in 2010. Kyle also writes for TechRepublic's App Builder blog.

Michael Kassner: What constitutes a malicious app, and what happens when Google finds one in Android Market? William Francis: The definition of a "malicious" app is spelled out in the Android Developer Content Policy as: "Viruses, worms, defects, Trojan horses, malware, or any other items that may harm user devices or personal data." The document further classifies products as malware that interfere with the operation of networks, servers, or the infrastructure of Google or any third-party.

According to the Android Market Business and Program Policies, Google retains the right to remotely remove applications from devices at its sole discretion. This is the much-talked about "remote-kill switch" that Google has shown to be operational and effective.

As a developer, if your application is deemed malicious, not only does Google have the option to bar you from distributing apps in Google Market Place, but legally you are required to refund Google all amounts you received for application sales, plus any associated fees. How hard Google would push this point is anybody's guess. I suspect the majority of infected apps were free downloads.

It's interesting to note that Google's content policy doesn't just stop at malware. Google reserves the right to remotely uninstall apps that contain: sexually-explicit material, violence and bullying, hate speech, impersonation, confidential information, intellectual-property infringements, unpredictable-network usage, and gambling.

I've seen debate in forums about whether or not the "remote-kill switch" can remove any application from a user's device, or just applications that were installed through the Android Market. This is relevant since recent malware threats like GGTracker infect your phone by "side-loading" themselves via an in-app advertisement and a spoofed Android Market website.

While Google has been open from the beginning with developers and users about their ability to remove an app from a remote device, the technical details and limitations of this capability are left to our imaginations for obvious reasons.

Dr. Xuxian Jiang: As the name indicates, a malicious app typically does something malicious to either compromise the phone (i.e., turning it into a bot) or cause damage to the phone user -- leaking personal information or increasing the phone bill -- without the user's knowledge.

If a malicious app is found in the official Android Market, my understanding is that Google will typically remove the app from the Market (to prevent it from being accessed by the users) and suspend the developer account that is used to upload the app.

Kyle Miller: A malicious app is one that, unbeknownst to the user, steals sensitive data from the user's device and uploads it to third-party servers. This data may range from emails, text messages, call logs, contacts, to sensitive information such as un-encrypted passwords stored in the file system from other applications (I'm looking at you, Skype). Michael Kassner: What can a person do to spot a malicious app and prevent it from doing harm? William Francis: There are a number of antivirus programs users can install to help keep their device malware free. I personally use Lookout. However, installing antivirus on your phone is only the first step.

Most antivirus packages take a two-tiered approach:

  • Scanning for known virus signatures.
  • Attempting to discriminate between "normal" and "abnormal" operating characteristics.

The issue with the first approach is apparent. A virus must be previously discovered and profiled so its signature can be introduced. That means there is a period of time between when the virus is released and when the virus definition file is updated where the user is vulnerable.

The second approach, while more adaptive, has limitations as well. Software engineering and computer science just hasn't reached the level where engineers can give a program the "smarts" to catch every malware threat that the ill-will doers are busy dreaming up.

Fair or not, when you get down to it, keeping malware off a device falls squarely on the shoulders of the user. I recommend:

  • Only install an app from a market place you know.
  • Keep the "unknown" sources option unchecked under the Applications Settings menu.
  • Read user reviews for the app.
  • Check out the developer website before installing.
  • Most importantly, read the permissions an app requires during install.
  • Apply common sense. An app that keeps your grocery list, probably should not be asking for permission to send and receive SMS text messages, access contacts, etc.

In closing, keep in mind there are plenty of apps available to do a backup of your device. Having a known restore point is going to become important as the quantity of malware apps in the wild continue to grow.

Dr. Xuxian Jiang: There are generic common-sense guidelines to better protect users. For example:
  • Download apps from reputable app stores that you trust.
  • Always check reviews, ratings, and developer information before downloading.
  • Check permissions on apps before you install them and make sure you are comfortable with the data they will be accessing.
  • Watch for unusual behavior on the part of mobile phones.
  • Make sure you have up-to-date security software installed on your phone.

However, despite the above guidelines, I also have to admit that in certain situations, users may be still attempted to download and install an un-trusted app.

Kyle Miller: Here are two things I recommend:
  • Don't download and install apps from outside the Android Market. And if you absolutely must, at least make sure it's from a reputable app store or site such as the Amazon Appstore or GetJar.
  • Carefully review requested permissions for each app. If you download a simple game and it's requesting permission to access the Internet, contacts, location, and account information, red flags ought to be flying. And, it's in your best interest not to download the app.

Other advice I'd offer is if you've rooted your device, you need to be paying more attention to this topic than others. Having root access can be wonderful if you're into tweaking your device, but it also gives malicious 3rd-party apps deeper access (and often write privileges) to the file system, which allows malicious apps the opportunity to wreak more havoc than normal.

Google's take

What Google thinks about bad apps is important, so I contacted the company and talked with Randall Sarafa. He gave me Google's position.

You remember William Francis mentioning above about Google having an Android Market Developer Program Policy? Sarafa affirmed that. He said, "We remove apps that violate our policies, including malicious apps."

On spotting malicious apps, Google recommends users check the list of permissions an app requests when it is installed. For example, if a game requests the permission to make phone calls, the user might want to investigate whether the app is legitimate or not.

Google also suggests users check the comments and ratings on an app before installing. Google also would like users who find a bad app to flag it in Android Market.

Final thoughts

I had hoped for a simple answer, but like most else in our digital lives, that can't be. So, buyer beware. Check permissions and use common sense when downloading apps. In other words, stay safe.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

12 comments
mikifinaz1
mikifinaz1

Because a product has to go through the old process it weeds out lots of the geeks with a keyboard, web space and the time to write up a virus app to dump on unsuspecting users.

pgit
pgit

I don't currently use, or even support mobile, but that time is a-comin, rapidly. I use two apps a lot, iptstate and wireshark, is there anything remotely equivalent for mobile devices? If there were something like those on a given platform that would seal my choice as to which platform to go to.

Michael Kassner
Michael Kassner

Malicious apps are making their way into stores and marketplaces. Learn from experts how to prevent them causing problems.

Michael Kassner
Michael Kassner

I have not found anything for the iPhone. My friends are looking for something for their Android phones as well. Maybe one of the members has an idea.

AnsuGisalas
AnsuGisalas

How about malvertisements which point to sites with trojaned copies of otherwise legit apps. Hard to discover. We need more PC-like capacities in smartphones. Especially behaviour blockers.

Michael Kassner
Michael Kassner

What do you mean by trojaned copies? Are you referring to something like the Fake AV apps? I am not sure about more PC-like, experts are saying that smartphones are more secure already. I would prefer better than PC-like, personally.

Michael Kassner
Michael Kassner

That is a good point. I suspect there is some difficulty in getting the malware hidden in the real application as well.

AnsuGisalas
AnsuGisalas

and no need spend bandwidth on the legit parts. All payload.

Michael Kassner
Michael Kassner

Being more prevalent a few years ago. Must be easier to promote the fakes ones I referred to. They are doing quite well right now, unfortunately.

AnsuGisalas
AnsuGisalas

Genuine but doctored. Of course, that's easiest to do with sourcecode access, but that doesn't stop the bad guys, does it? There was a linux product hit with something like that... their download pages were hacked, and their product was replaced with a malign version. In theory it can be the same product, with full functionality, but with a nasty rider. On a PC you can check the hashes, if you remember to, and know how (many people probably don't). On a smartphone, that's less easy. You can't control the file handling enough for that kind of operation, at least not now.