For quite some time now I and others have been speaking out regarding the risks of the Android application marketplace, as an un-vetted "wild west" for software.
The essence of the problem is simple: any one can post software there, without any review of actual content and behavior. The overarching security model is that applications on installation must request and the user must approve certain capabilities (for example the right to access address book information, or to send text messages), and this then gives the user security control. The problem with this model is that broad capability requirements are very common on legitimate applications, and users become assumptive that the capabilities requested are both needed and will be used "appropriately" by the application. Neither is necessarily true, particularly with applications that are intentionally malignant.
Today we have the news of a significant number of applications with large #'s of download being, in fact, malware attempting to get device access at the root level, and stealing confidential information off the phone.
http://www.cnn.com/2011/TECH/mobile/03/02/google.malware.andriod/index.html?hpt=T2
It's important to keep in mind that there are three types of parties involved in Android security issues. The first is of course the consumer and individual business user, and their concern is the ability to utilize applications that provide incremental value without concerns about malware. The second is businesses themselves who must field these devices with their staff for productivity reasons, and have to balance between the need to enable them with productivity applications, while still ensuring device security. This is particularly needful given the business data likely to reside on the device. Lastly, there is the application developers (sometimes these same businesses fielding such devices), who have to be concerned about the risk of their software being compromised with malware, and potentially their brand compromised as a result of re-distribution with malware injected into their application.
The heart of the problem leading to this action by Google is first, the lack of any review practices for the Android marketplace. Some are suggesting a "vetted" Android marketplace as a solution; meanwhile, some larger enterprises are constructing their own "vetted and approved" download areas for Android applications for employee business devices. It's not hard given this recent action to see why such a methodology is needed for large corporate deployments of Android devices into the work force.
The second problem is the lack of any software protections in the application software itself. We at Arxan have been ringing this bell for some time, and while those with obvious code security concerns do take active steps to secure their application code with intrinsic security (media players, payment system software, banking software, etc.), others do not. This enables exactly the above situation to occur: hackers can casually lift an application, reuse/modify the binary level code, and republish. The result: rapid and effective malware distribution to a huge base of Android device users.
The solution isn't overly difficult: protect your applications from reverse engineering and tampering! Arxan and others provide powerful technologies to accomplish this. While this won't secure the Android marketplace itself, it will help to assure that YOUR software isn't cloned and published under a similar function or brand name with malware inserted.
