Network News

X My Profile
View More Activity
Posted at 11:04 AM ET, 03/ 7/2011

Google activates 'kill switch' to remove Android malware

By Rob Pegoraro

Google's response to a bout of Trojan-horse applications targeting its Android operating system shows how much and how little power it exerts over that platform.

The key part of Google's latest reaction, announced in a blog post Saturday night by Android security head Rich Cannings, is the remote removal from users' phones of applications identified as malware. These rogue applications were offered through Google's Android Market under such sketchy names as "Hilton Sex Sound" but also more-serious monikers such "Scientific Calculator." They can transmit a phone's electronic identifying number and also download additional, unidentified code in the background.

Google has discussed this remote-removal feature before (see, for example, Cannings' June blog post for Android developers) but had not used it on so many apps at once until now.

Google will also send a software update called "Android Market Security Tool March 2011" to infected phones over the next day or two that will close the security vulnerabilities exploited by this malware.

android_logo.jpg

You hardly ever see an operating-system developer reach down to a user's computer to yank an existing app and then install an update without prior notice to the user about either action.

It's even less common to have that same developer exert so little control over what programs it distributes in its own software store. The Android Market operates on a trusted-developer model: Once you're in, you can publish and update software at will, with users' primary guide to an individual app's quality being the one-to-five-star ratings and reviews left by other users.

(Reading through those assessments on the small screen of a phone quickly grows tiring. You're better off inspecting a new app's critiques in the Web version of the Market that Google introduced last month.)

As an Android user, I appreciate how Google isn't trying to curate the Market's inventory in the way that Apple does with its App Store, where it's attempting to legislate not just safety but quality with its restrictive rules for iPhone and iPad apps. I've heard similar thoughts from Android developers who like not having to wonder if each new release--and each patch to an existing release--will get held up in app store review limbo.

I'm okay with the risks of malware slipping through, because I know to read the reviews of a new app and, if in doubt, to look it up on other sites. That's how I've always treated new applications on any computer I've used: Mac, Windows, Linux, Palm, whatever. You don't just download any shiny new toy, because it might turn out to be a Trojan.

And yet: When a company hosts somebody else's application in its own, private software store, you're right to expect some minimal level of oversight.

Cannings's post promises changes to the Market to crack down on malware but doesn't define those actions: "We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market."

Over at ZDNet, my friend Steven J. Vaughan-Nichols asks the obvious question of Google: "Wouldn't it have been better to do minimal checking on software before letting it on Android Market?" Indeed. Google doesn't even have to require that, but if it simply offered a malware-free certification option, I suspect that many developers would gladly opt for it. They might even pay extra for that stamp of approval.

Vaughan-Nichols--who also pronounces himself "not crazy about the idea that Google, or anyone else, can reach out and rip software out of one of 'my' devices without my say-so"--identifies another issue with Google's Android security strategy: its dependency on wireless carriers.

Although the current version of Android, 2.3, doesn't have the vulnerability exploited by this malware, most Android phones don't run it. And Google can't make them offer updates to 2.3. Many phones haven't even gotten an upgrade to 2.2 ,the improved release Google introduced last May.

In this situation, I recommend a skeptical approach to adding new apps. Others, such as Vaughan-Nichols, advise getting anti-virus software for the phone. But no matter what, Google needs to improve its management of its Market. As Android gets more popular, the temptation for malware authors to attack its users will only get worse.

What would you recommend Google do? Share your suggestions in the comments.

3/7, 11:22 a.m. Cleaned up a little formatting weirdness and added a link with details of the Android malware in question.

By Rob Pegoraro  | March 7, 2011; 11:04 AM ET
Categories:  Android, Google, Mobile, Security  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Angry Birds coming to Facebook
Next: Judge says Sony can see visitors to hacker's site

Comments

The fact they can just wipe applications remotely from your phone tells me they have too much power over the end user, maybe thats why I don't own a smart phone. There should be a message sent to the user about bad apps. the user would look at the list and the user remove the application
The fact Google/Apple knows what you have installed bothers me too.

Posted by: regulas1 | March 7, 2011 11:40 AM | Report abuse

I would let Google remove malware from my phone anytime. Why is this so different from any other web activity? Most sites put cookies on your computer without your permission, tracking your web movements and reporting back to the originator. That sure sounds like malware to me.

Posted by: bigbassclef | March 7, 2011 12:48 PM | Report abuse

This is why I'm intrigued by reports that Amazon intends to set up an Android app store. It sounds like it might be a good compromise between Apple's restrictive and Google's laissez faire approaches.

Posted by: keithmo | March 7, 2011 1:03 PM | Report abuse

Quick question: do affected users have to accept this update from Google? If the user has to authorize the update, I don't know if I agree with characterizing it as " reach down to a user's computer" and "kill switch".

Posted by: tundey | March 7, 2011 1:52 PM | Report abuse

Google should take a layered approach. First and foremost, they should employ people to evaluate all new apps whether before or after the fact of posting to the store, and offer a sort of low-level approval on that basis. "we tried it, it looks ok, it does (or doesn't) do what it promises. Malware status uncertain."

Add to this, the easiest and simplest possible at-a-glance ranking or rating of developers. It would make sense to offer a specific warning at installation, if the developer is brand-new, has no well-established rating or has a less-than-sterling reputation.

The malware-free certification idea adds another layer, and THAT could be two- or more-layered.

Finally, YES, please add a requirement to OK changes at the phone's own console, not only for web installs but also for Google's own tinkering.

Posted by: NotJim | March 7, 2011 2:30 PM | Report abuse

People, including Rob Pegararo, are so naive. Google's reason for not having an application approval process is to save money. It doesn't have to design software to check for malware or pay employees to make decisions about apps. And, it can play folks for fools by claiming its policy is about being 'open,' a public relations advantage.

Meanwhile, Apple has never done anything as draconian as use a kill switch.

Posted by: query0 | March 7, 2011 9:39 PM | Report abuse

I have never liked how android market never offers a changelog or a read me file. Most of the time apps dont even have an about.
Its really sad how lazy people have gotten with app stores that the whole install process doesnt even ask you whether to install on sdcard or anything. I am going to move the app post install anyway, give the option. Everytime i am left wondering if an update is worth it, i dont want to run the latest if its going to be bloated like a certain pdf reader from adobe. You cant even least have a hash to check for yourself.
It really is pathetic what apple is making common for users, and that other companies are chasing its tail,

Posted by: missingxt | March 8, 2011 8:14 AM | Report abuse

That's why I stick with Apple. Love my iPad (and I'm happy with the 1st generation).

Posted by: ccs53 | March 8, 2011 1:58 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2011 The Washington Post Company