Android has been a popular topic for me recently. As someone who writes about security, that’s usually not a good thing.

But am I being fair?

I look back at why I switched to Android. Unfortunately, the features that impressed me enough to switch are now the ones I’m writing about.

One reason why I switched to Android is the multiple and convenient ways an app can be installed. Three methods I use are Play Store, Non-Android app stores, and sideloading (your options may vary depending on phone OEM and mobile-telco provider).

I’m not the only one excited about multiple ways to install apps; nefarious types are beside themselves. Two of the three options are pretty much anything goes, allowing bad guys to hustle their malicious apps at will. As for Play Store, experts aren’t that encouraged with Bouncer (scans Play Store for malicious applications) either. In an earlier article, I asked Charlie Miller and Jon Oberheide why that was:

We discovered several ways to fingerprint the Bouncer environment. The most interesting ones would allow a malicious app to hide its true intentions while running with Bouncer, and still perform malicious activity on a real user’s device.

This is where it gets complicated. Google, to their credit was trying to keep the installation approach as open as possible. But, the bad guys aren’t going to allow that. Maybe Google should revert to a system similar to Apple with strict vetting, and only one way (not jail-broken) to load apps? Or is there another possibility?

It’s preliminary

It appears Google has a different solution in mind. Sophos and Android Police, two sites familiar with Android, are fairly confident that the client app associated with Play Store will be getting a built-in malware scanner. Here’s what Graham Cluley of Sophos had to say in this blog post:

A new edition of the Google Play app has put in place the foundations for some kind of anti-virus functionality. Looking at the code seen inside the app, it appears that Google could soon have the capability to perform anti-malware scans on your smartphone.

Cluley mentioned that upon close examination of the app’s code by Sophos personnel, the following text was uncovered:

“Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.”

“Installing this app may harm your device”

“Installation has been blocked”

“To protect you, Google has blocked the installation of this app.”

On something as preliminary as this, I like to get confirmation. I found my second source on the Android Police website. Ron Amadeo disassembled the same code and posted the following string file in this blog post:

<string name=”package_malware_title”>App Check</string>

<string name=”package_malware_consent_text”>”Allow Google to check all apps installed to this device for harmful behavior?

To learn more, go to Settings > Security.”</string>

<string name=”package_malware_banner_warning”>Installing this app may harm your device</string>

<string name=”package_malware_banner_blocked”>Installation has been blocked</string>

<string name=”package_malware_recommendation_warning”>Google recommends that you do not install this app.</string>

<string name=”package_malware_recommendation_blocked”>To protect you, Google has blocked the installation of this app.</string>

<string name=”package_malware_app_name”>App name: “%s”</string>

<string name=”package_malware_checkbox_label”>I understand that this app may be dangerous.</string>

<string name=”package_malware_consent_title”>Verify apps?</string>

Amadeo explains what he thinks the app will do:

Apparently, there are two parts to this. There is something called “App Check” that will allow Google to inspect every app you’ve already downloaded, and a doorman-style app blocker that will warn you if an app is suspicious. It also sounds like they will have a “shut up and download it” button, for people that like to live on the edge.

Both gentlemen furthered their argument by including the following artwork images.

The signs with exclamation points are called ic_warning_dark.png and the shield representation is called ic_shield_dark.png.

Cluley of Sophos offered the following insight:”

Our examination of the new code in Google Play suggests that the company is building an API framework for virus-scanning in the future, and the functionality will not be available until at least API level 17 (which will be supported in the version of the Android operating system after Android 4.1 (Jelly bean).

Note: Neither source provided information as to where they obtained the code.

I wasn’t quite sure what Cluley meant. So I asked William Francis, TechRepublic’s Android expert for his opinion:

I can’t say with 100% certainty what the article is referring to, but it appears that someone did a scan of the English version of the asset folders and discovered some string literals which would lead us to believe Google might be working on adding their own version of a malware scanner to the OS.

Again, this is my best guess based on my knowledge of how Android works. It is likely Google’s version of antivirus will encompass more than just the Google Play Store app. There will probably be a whole framework which might even be available to third parties at some point. There are always teams working on all different parts of Android, and we’ve seen in other operating systems integrated antivirus is a natural progression.

William adds the following cautionary note:

It’s important to remember that a good platform-wide malware solution is a complex piece of software. It will require a lot of moving parts and I’ve seen no definitive evidence that this project will be available in the next release of Android.

Until Google has had ample time to complete, verify the effectiveness, and ultimately release and support an integrated antivirus solution, those users who are security conscious would be wise to continue to use tried and true third-party solutions.

If and when integrated antivirus in Android becomes ready for prime time the marketing folks at Google will not be shy about letting the public know.

Makes sense doesn’t it?

If you think about it, this way Android and Google will be able to check installed applications and those in the process of installing regardless of the method.

Final thoughts

I’m starting to think “Security or Convenience, neither both” is a universal axiom. If that is true, where does that leave us?