back to article Google readying on-device malware scanner for Android

Android malware is on the rise, but the good news is that Google isn't sitting still for it. The search giant is reportedly readying a comprehensive anti-malware system for its mobile OS that will soon be able to spot malicious apps not just in the Google Play store, but also on Android devices themselves. According to a …

COMMENTS

This topic is closed for new posts.
  1. dssf

    ABOUT TIME!!!

    And, while you're at it, throw in some cream such as an intrusion detection suite, a form of firestarter, a form of etherape, and a clearing house reporting too. Oh, and some surgical formware on a chip that stores the baseline and known-good versions of every app the user has space to back up, so the user can surgically inspect, report, refer forensically to CERT or law enforcement, and then nuke.

    Oh, wire in some noscript, adblock plus, and...

    Oh, wait, i am expecring wayyyyyy too much...

    1. MrT

      Re: ABOUT TIME!!!

      Yup - it'll probably just scan apps as they install and then do a scheduled check of stuff already on the device... which is the core of stuff like Lookout, for example.

      TBH Google could do worse than properly checking stuff on the Play Store, then clearing out the junk, but in the willy-waving battle of the biggest number of apps, neither they nor Apple is keen to be second. So the crud remains in both. I noticed that some apps that are using an icon a bit too similar to others have been pruned, which has culled a few useful things too.

      And if it's built into android 4.2 then it'll be a while before it gains any traction...

      1. Craigness

        Re: ABOUT TIME!!!

        Android updates don't have to come as a complete OS upgrade. This will be rolled out to all devices automatically as a Play Store update, just like the last one.

    2. g e
      Go

      Re: ABOUT TIME!!!

      Oh and an app-specific firewall along ZoneAlarm lines that lets you ban calls/wifi/data/bluetooth/gps/location/etc access on an app-by-app basis.

      1. Anonymous C0ward

        Re: ABOUT TIME!!!

        Avast and Permissions Denied.

      2. Euripides Pants

        Re: ABOUT TIME!!!

        "that lets you ban calls/wifi/data/bluetooth/gps/location/etc access on an app-by-app basis."

        Built in to CyanogenMod...

    3. Anonymous Coward
      Anonymous Coward

      Re: ABOUT TIME!!! Really?

      This will slow the phone down a little will it not!

      Still it is the price paid for 'Open Season' oops I mean 'source' software.

      1. ThomH

        Re: ABOUT TIME!!! Really? (@AC 16:37)

        If implemented correctly it should be imperceivable — so much effort has gone into engineering mobile phone software to be power efficient that spare processing capacity is available quite often.

        We should be grateful that Google, with a vested interest in doing it well, is stepping up before manufactures start shovelling on their own solutions. Have a wander around PC World to see the worst possible outcome.

    4. Anonymous Coward
      Anonymous Coward

      Compatibility to all Android phones, makes models and builds?

      Don't hold your breath.

    5. Ilgaz

      Re: ABOUT TIME!!!

      No competition, pre installed, I am sticking to free market Kaspersky.

      I bet it will be 4.2 only anyway.

  2. Anonymous Coward
    Anonymous Coward

    "they downloaded Android scam apps disguised as the latest Roxio Angry Birds game. What the rogue apps actually did was send SMS messages to premium-rate services, costing the unwitting users up to £15 each."

    As a developer I have no sympathy for these people installing an app they know is illegal and then ignoring the permissions too. They deserve what they get.

    It's good that Google are adding in checking of applications installed from third parties.

    1. Ben Tasker

      they downloaded Android scam apps disguised as the latest Roxio Angry Birds game

      Missed that in the article, shouldn't that be Rovio?

      Yeah, I've not much sympathy for them either to be honest. As you say, they made two key mistakes. The first was to try and get a paid app for free and the second was to completely ignore the list of permissions.

      I can completely understand that the average user doesn't want to use something like Permission Denied to control what permissions apps can use, but the flip-side of that is that you actually have to pay more attention to what permissions are being sought, not less.

      Considering the permissions in question are under "things that cost you money" it's clear that users just aren't looking or applying logic at all.

      1. Magnus Ramage

        Never underestimate human stupidity or laziness

        I have a bit more sympathy. Regarding free vs paid, multiple versions of Android apps often exist, some free & some paid; it's not always obvious (even from the Google Play description) which is which. I have no sympathy for someone knowingly trying to get a paid app for free, but it's possible at least people scammed in this way didn't know what they were installing.

        On the matter of permissions: undoubtedly it's really important to read permissions very thoroughly before accepting them when installing a new app, especially if they say "things that cost you money". But the longer and more comprehensive some permissions lists get, the more they feel like the Android equivalent of click-through EULAs - at best the average user will scan the list in a couple of seconds in case anything jumps out, but more likely they'll just say "sod it" and click accept without reading... Not the best policy, but human nature.

        1. heyrick Silver badge

          Re: Never underestimate human stupidity or laziness

          "more likely they'll just say "sod it" and click accept without reading" - especially when some permissions (including potentially dangerous ones like "services that can cost you money" depending on how much crap is in the list) are buried under a thing that says "More" that you must tap on. Why aren't ALL permissions ALWAYS listed immediately?

    2. Anonymous Coward
      Anonymous Coward

      "As a developer I have no sympathy for these people installing an app they know is illegal and then ignoring the permissions too. They deserve what they get."

      I fully support this sentiment, however I think I should point out thought that the users who got scammed into sending expensive text messages downloaded the app from the official Goggle Play store. I should also point out that Rovio provides a free (ad supported) version of Angry Birds through the official store.

    3. Anonymous Coward
      Anonymous Coward

      "As a developer I have no sympathy for these people" - yup, that pretty much sums up the attitude of many of the developers. But it's OK, these developers keep me in business. I work in security. Application security.

  3. Anonymous Coward
    Anonymous Coward

    Here we go again...

    It is said that history repeats itself... earlier it was Wintel (a word to indicate MS and Intel "collaboration"), now it is Andtel (a Google and Intel "collaboration"). No wonder we are seeing a repeat of the same behaviour from the two new "collaborators" on mobile platform as that of the two old "collaborators" on the PC platforms. First create an environment full of security lapses that opens the platform for exploitation and then force the user to pay for the "security features"! People, be prepared to experience security issues of the PC era, this time on mobile platforms.

    1. Craigness

      Re: Here we go again...

      How many Android devices use Intel? 1 that I know of! And who has to pay for security when Google is offering it for free along with numerous others? Plus, the permissions system lets users decide their own security policy in addition to the algo-based security on offer.

      1. Ben Tasker

        Re: Here we go again...

        @AC

        Wintel was used to refer to the monopolistic practices of the two. You could argue Intel still has a monopoly on desktops (though I'd call it a stretch), but in the mobile arena? Google definitely don't have a monopoly on phones or tablets either.

        Anyway, if you're gonna call them anything, Andtel sucks. At first glance it looks like AMDTel, so I suggest Gotel or GooTel. You'd still be wrong, but at least people might have a better chance of knowing what you're wittering on about

        1. Anonymous Coward
          Anonymous Coward

          Re: Here we go again...

          It won't be long before Intel drive ARM out with their band handers or a deal with Google.

          1. Anonymous Coward
            Anonymous Coward

            Re: Here we go again...

            @AC (13th October 2012 09:41 GMT)

            > ...or a deal with Google.

            And what do you think Intel CEO is doing sitting there on Google's Board of Directors, playing music-chair? :)

            Probably the first Google Motorola Mobility handset was the fruit of that collaboration at the top level. I see a very interesting and distilled three-way tug of war between three major groups in mobile arena: Intel-Google-Samsung, Apple (and friends, e.g. Oracle)-Qualcomm and Microsoft-Nokia. nVidia, RIM, HP, HTC, ZTE, Acer et al will be at the bottom of the list with most of these players trying to capture the Asian market with collaboration with local companies and with one or more constituents from the three major groups e.g. ZTE+Intel+Google, Microsoft+HTC+Qualcomm, Alibaba+Acer+nVidia etc.

            Just my 2 cents.

        2. Anonymous Coward
          Anonymous Coward

          Re: Here we go again...

          @Ben Tasker

          > You could argue Intel still has a monopoly on desktops (though I'd call it a stretch), but in the mobile arena?

          I see things moving in that direction. Intel already has 4 devices in the market and has said that more are to follow. So once the Intel blitz starts then it is well known what happens :)

          > Anyway, if you're gonna call them anything, Andtel sucks.

          Well it was "Wintel" instead of "Microtel" isn't it? Hence I used "Andtel" instead of "Gootel". You can use whatever you want. My intention was to convey the similarity between some of the decisions being made related to desktop and mobile when it comes to security i.e. pushing security handling within the hardware. And these two decisions have come within a short span of each other. And only one company so far has been public pushing this idea on desktop, and now the similar thing is being done for mobile. Also, Intel CEO is on Google's Board of Directors. Hence the link.

        3. Anonymous Coward
          Anonymous Coward

          Re: Here we go again...

          "Wintel was used to refer to the monopolistic practices of the two."

          Sorry but that's just bullshit. It doesn't matter how many people try to make it true by writing it on Wikipedia. It was just a description of the computer that was in nearly universal use then. Evidently you do not remember when Windows was available for a variety of cpus, such as DEC and MIPS, PowerPC, and possibly others, I don't recall.

        4. Anonymous Coward
          Anonymous Coward

          Re: Here we go again...

          Gintel? Because Android on x86 is enough to drive anyone to drink?

      2. Anonymous Coward
        Anonymous Coward

        Re: Here we go again...

        @Craigness

        > How many Android devices use Intel?

        4 at the moment, with more to follow I am sure. Intel is not going to sit there twiddling their thumbs when the growth is in the mobile devices sector.

        > And who has to pay for security when Google is offering it for free along with numerous others?

        There is no free lunch. The "free" that you get is recovered in other areas. Hence users should never be under the impression that things are free when a commercial enterprise is involved in providing a product. They are not charities.

        > Plus, the permissions system lets users decide their own security policy in addition to the algo-based security on offer.

        I agree that Reg readers are tech savvy and understand what you are saying, but what about the consumers (majority of the users fall under this category) who are not able to differentiate between "own security policy" and the "algo-based security". The marketing brains usually target this section of the users to sell any technology they see fit, whether the user require it or not. Otherwise we wouldn't have seen the security related bloated products pushed down the throats of consumers who are not in a position to make a decision based on technical understanding. I see the same thing repeated on mobile platforms.

        1. Craigness
          WTF?

          Re: Here we go again...

          Coward, 4 devices is still too small to consider it phenomenon worthy of a name. Also, Intel had nothing to do with creating Android, so the security situation is not part of a conspiracy to enable Intel to sell security products. Also, Intel doesn't sell security products. Also, it's not the chip which makes a product secure, it's the software. Also, free security software is free - Google makes it free to counter the FUD from online cowards, Lookout makes it free to promote its paid-for products, etc. Also, the permissions are shown to all readers before they install, not just the more savvy ones (the savvy ones become savvy by doing things like reading the permissions list!), so everyone can see that something can send SMS to premium rate numbers for example. If you install an app which asks for permission to send SMS to premium rate numbers and it sends SMS to premium rate numbers then there has been no security violation. Also, "bloated" has a specific meaning in software, it's not a catch-all for "stuff I don't understand", but it's pretty clear that you don't.

  4. Anonymous Coward
    Anonymous Coward

    Let the cat and mouse race begin once again. Can Google keep up with signature updates? What about older OSs?

    Will Google abuse this system to favour their own store, like they do with their gmail spam detection filters that tend to favour companies who buy their advertising?

    Stay tuned

    1. Ben Tasker

      Will Google abuse this system to favour their own store, like they do with their gmail spam detection filters that tend to favour companies who buy their advertising?

      Link? Could be interesting reading if it's true.

    2. Anonymous Coward
      Stop

      It's the other way around...

      If you buy Adwords email from your domain gets marked as spam:

      http://www.webhostingtalk.com/showthread.php?t=1195112

      (Or search for more reports)

  5. Richard Lloyd
    Meh

    Anti-malware apps...

    Strange that the article made no mention of the anti-malware apps already on Google Play (e.g. AVG, Avast etc.), since aren't they already doing what this new Google feature will do at some undetermined point in the future?

    One thing I'd like to see is the ability to individually deny permissions to an app (and hopefully the app will gracefully handle issues arising from not having those permissions, rather than just crash or quit) - ideally both at install time and let them be changed at any time after that. At the moment, we're presented with the list of perms when installing the app with just two choices - install it with all the permissions or don't install it, which isn't granular enough, IMHO.

    It surprises me how many apps request needless permissions, though you suspect a lot are for banner ads which may be the reason Google won't let users turn off permissions.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anti-malware apps...

      For now I'd be happy with just showing a permission to read from the sdcard, currently there's none and apps are free to read whatever they want from there.

    2. Ben Tasker

      Re: Anti-malware apps...

      @Richard

      For permissions control I use Permissions Denied (there's a free version as well). Works quite well for the most part, but apps will crash if you remove permissions you want. Doubt you'll be surprised at the following:

      Facebook App - Remove permission for fine or coarse location = Crash

      Google+ App - Remove permission for coarse location = Crash (you can turn off fine)

      I tend to decide what permissions I'm happy for it to have, and disable the others. If the app crashes as a result, it's after something I'm not happy for it to have so I remove it. Everything loses the ability to update my contact list, and often to read it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Anti-malware apps...

        Why don't the 'permission control' apps just return bogus data (e.g. 0.0 for lat & lon) instead? That why the app should not crash and your privacy is preserved.

  6. adnim

    Phone+

    I use a dumb phone for surprisingly enough, making phone calls and texting. It has all the features I need. it's 9cm x 4cm x 1.5cm and very light.

    I use a rooted 7" Tab 2 to do all those things my dumb phone doesn't.

    It's a little inconvenient having to use two devices where most people use one. But to me, that's the only down side. My Tab is under my control, not Googles. I have the usual adblock installed in Firefox... Where's NoScript for FF on Android? My hosts file is pretty comprehensive. I haven't found a decent firewall yet, ie one that asks permissions for any ingress and egress and doesn't want access to contact lists, location services, the Internet etc.

    I image my device before installing anything I am the slightest bit dubious about.

    However IT is what I do and I have been doing it for quite some time. Consumers on the other hand do need protecting, not only from malicious applications but their own ignorance. As a consumer one has to trust someone. As an IT literate who generally knows what he is doing, I don't have trust anyone, and I don't.

    1. mraak

      Re: Phone+

      I use my paper map for surprisingly enough. Haven't detected any malware on it yet.

  7. lauri_hoefs
    Go

    Adware removal too?

    Could this scanner also remove adware from the phone? There's one really buggy and annoying piece of ad-/malware/spybot on my phone, makes it almost impossible to use the handset.

    The adware is called Android 2.3.7 or something, think it came pre-installed.

    1. adnim

      Re: Adware removal too?

      I'll bite, if only to bring this website to the attention of those who may not be aware of its existence.

      You might find a solution here....

      http://forum.xda-developers.com

      The solution you choose may well invalidate your warranty. Although for some devices the firmware update counter can be reset so it looks to the manufacturer, like the device was never anything but stock.

  8. Phoenix50
    Stop

    Ah..

    So when Microsoft introduced application checking, user access control and anti-malware into it's Operating systems, the response was "why has it taken them so long?!!!!!11111!1"

    But when Google do it it's called "improvements".

    Go fuck yourself Google - your time will come, and you'll be assigned to the annuls of history like all the others.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah..

      Ok, I'll bite.

      The response was "why has it taken them so long?!!!!!11111!1" because Windows had been plagued by malware for years. Literally to the point where the only way to reliably keep a Windows machine clean was to never let it connect to the Internet or read removable media.

      You could argue that Android should have had this stuff from day one because security via obscurity is a flawed practice. In reality though Google, like any other company, has had to build its software in iterative form and until Android's market penetration reached a high enough level there was no advantage in redirecting resources into a dedicated malware scanner. Now that Android has become popular it is time to reassess those priorities. It's also worth remembering though that Android is based on Linux, which whilst not invulnerable, is considerably more secure due to both its maturity and its open source nature.

      All of this is still a world away from Microsoft however, a company that had a near 100% monopoly on the home computer market during the 90's but did not actively begin implementing security best practices until the mid 2000's.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah..

        >Literally to the point where the only way to reliably keep a Windows machine clean was to never let it connect to the Internet or read removable media.

        Or possibly some sort of image back-up routine, maybe.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ah..

          Backup images don't prevent infections, they just allow you to quickly recover a machine afterwards.

  9. Mike Judge
    FAIL

    scaremongering

    "Chocolate Factory already scans apps in the Google Play store for malicious behavior using a system known as Bouncer, but that hasn't prevented a number of high-profile incidents in which scammers have used rogue apps to swindle Android users out of cash and device data."

    All those" high profile incidents " are not originating from the Google play store, they are from other sources from users too stupid to understand the clearly worded malware warning when enabling unknown sources.

    1. Anonymous Coward
      FAIL

      Wrong.

      Post "Play" Bouncer:

      "100,000 Users Have Downloaded Malware From Google Play" - Forbes, July 2012

      http://www.forbes.com/sites/adriankingsleyhughes/2012/07/11/100000-users-have-downloaded-malware-from-google-play/

      Previous cases, pre "Bouncer":

      http://www.slashgear.com/symantec-android-market-having-its-largest-malware-infection-ever-27211082/

      http://www.engadget.com/2011/12/14/google-pulls-android-market-malware-that-exploits-sms-hole/

      ..

  10. M Gale

    Sheesh

    I know this is The Register, but "oh just root it" is not an answer to anything other than "how can I make it easier to break my phone?" If anything, telling Joe Public to go install some funked-up unofficial rooted Android build is what lays them wide open to malware attack.

    But yes, non-rooted Android needs selective permission blocking of all apps, including the Google ones. If apps made for older Androids crash when you deny permissions.. don't use the apps.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sheesh

      Yes, you have to wonder how savvy some of the people on the register forum are when their solution to protect themselves against a piece of malware is to give another unknown application root access to their phone

  11. heyrick Silver badge

    The best response to malware is a permissions system that isn't broken

    With Android apps, permissions are take-it-or-leave-it. You do not have a say in the matter (I'm not including rooting your phone, must of the people at work wouldn't even understand that phrase never mind actually do it). Users NEED to be able to say "oi! no."

    I will give you an example. Orange France has an app called "Orange et moi" that tells you promotional rubbish, but can also report on your outstanding allocations for data and free voice calls. Among other stuff. [ https://play.google.com/store/apps/details?id=com.orange.orangeetmoi ] It used to tell me there was a newer version, but I could continue using the older one. Now it refuses, saying I can either upgrade or quit.

    Upgrade?

    Are you sitting comfortably? Here goes with the permissions it, a carrier-provided app, wants:

    Services that cost you money: directly call phone numbers; Your location: coarse (network-based) location, fine (GPS) location; Your messages: read SMS or MMS; Network communication: full Internet access; Your personal information: read contact data; Phone calls: read phone state and identity; Storage: modify/delete USB storage contents, modify/delete SD card contents; System tools: change Wi-Fi state, change network connectivity, prevent phone from sleeping; Network communication: view network state, view Wi-Fi state; System tools: automatically start at boot, measure app storage space; Default: directly install apps, modify battery statistics...

    The last one, about battery statistics, says "Not for use by normal apps" in its description. Anyway, are alarm bells ringing yet? Directly install apps? Read contact data? I'm sorry, I took a look at this list and deleted the app entirely. I'll use the website from now on.

    That I cannot tell this app to rein in its ambitions is a failing of Android; and an encouragement to app authors to drop in more permissions than are necessary. It is scary how much stuff wants to read your addressbook, and you only choice is to do without. There needs to be an option entitled "screw you and the horse you rode in on" so you can choose to install the app and you can tell it what it won't be doing. But since this means many would turn off internet access and location-based services (used by AdMob among others), I can't see Google doing this any time soon.

    1. Anonymous Coward
      Anonymous Coward

      Re: The best response to malware is a permissions system that isn't broken

      With Android apps, permissions are take-it-or-leave-it. You do not have a say in the matter (I'm not including rooting your phone, must of the people at work wouldn't even understand that phrase never mind actually do it). Users NEED to be able to say "oi! no."

      ----

      No, leaving the users in control only helps the knowledgeable users who are a decided minority. The vast majority of people will just approve anything presented to them automatically, whether it is an updated iTunes T&C that gives Apple ownership of your firstborn, a Windows UAC query, or an Android installation permissions request. It doesn't matter whether the app will still run without the permission, most people are going to automatically approve it no matter what it asks for.

      In order to be secure, the user has to be left with no choice. You leave an out that says "I know what I'm doing, let me override your choices" for the knowledgeable people (at least those who own the device in question) and the masses can be safely protected by virtue of not knowing how to flip the override switch.

      1. heyrick Silver badge

        Re: The best response to malware is a permissions system that isn't broken

        @ DougS: so rather than giving the user some modicum of control, even if most will gloss over this, you would prefer to be locked to the app defaults? You do know these permission requests are not approved or sanctioned; it is the app dev asking for said permissions and a nafarious dev may ask for more than is justified (on a sliding scale). How is it logical to say "can't permit the user to do anything about this because most users won't"? Using the lowest denominator in electronic security is a flawed premise from the outset.

    2. Dave Lawton
      Unhappy

      Re: The best response to malware is a permissions system that isn't broken

      There's an equivalent to this, if you're a T-Mobile customer. It's called TopApps. It is installed at some point after you fit the T-Mobile SIM, and the user can't remove it. It has all of the above, with the exception of 'modify battery statistics', and it nags every day about needing updates. I wish there was a way to permanently kill it.

  12. AfternoonTea
    Stop

    I assume by "Bad app's", they mean ppl/tw*ts who have not paid lip service.

  13. Anonymous Coward
    Trollface

    "disguised as the latest Roxio Angry Birds game"

    I see Roxio have branched out from CD burning software, eh?

  14. Anonymous Coward
    Anonymous Coward

    App Store Security

    I can't help feeling that if an app is in google's app store, paid or free, any user, including my mum, should know it will be safe. end of.

    1. lauri_hoefs

      Re: App Store Security

      This ^^

      It's a solution to a problem that shouldn't exist in the first place.

  15. mraak
    Gimp

    iPhone has no malware

    Because nobody uses it, so the malware creators don't have any incentives targeting iOS.

    1. Anonymous Coward
      Anonymous Coward

      Re: iPhone has no malware

      No, it has FEWER problems because it's a walled garden. You have the choice: use a walled garden which means you pay some money and some apps won't get in (read: the non-tech customers are safer by default), or choose un unchecked platform (in which I include a jailbroken iPhone because that too gives you freedom - but at a price).

      The problem with Android is a broken base model. It was by design developed to gather data (which is why few functions work until you feed it your identity, aka a Google account), NOT to keep you safe from abuse. The permission model is a laugh: you know full well that making an app look cute enough is all it takes for your average end users to say "yes" to all the privacy violations because most people have by now been conditioned to believe that "free" really exists.

      Not that I give Apple a way out here: enabling iCloud means you first have to allow ALL your data to be sent to their US servers before you can delete the bits you don't want.

      However, most importantly, I think anti-malware is a plaster over fundamental problems. Microsoft started a whole industry here because it couldn't get the basics right, and now Google is doing it all over again. Only this time it appears to be by deliberate design rather than incompetence. To me, there *are* no accidents at Google.

    2. Mark .

      Re: iPhone has no malware

      Indeed - it's interesting that the malware authors actually seem to have a clue as to which is really the dominant platform.

      Compared with unfortunately most mobile software developers - I recall that recent Register article on a survey which said most mobile developers value installed userbase size as most important when deciding what to develop for, yet bizarrely, most of them also said they developed for iphone. It's worrying that many software developers seem to be clueless as to the actual state of the market.

      1. Toothpick

        Re: iPhone has no malware

        I would have thought the majority of software developers would develop for the platform that would give them the best possible return for their efforts.

        Android may be the dominant platform, but if developing for it doesn't pay the bills, then why bother?

        Maybe they are not so clueless after all.

This topic is closed for new posts.

Other stories you might like