SOFTWARE DEVELOPER Google has been caught out by lax security design in its Android operating system as highly aggressive malware has been discovered on the Android Market.
At least 21 applications were found to have malware that rooted Android devices without the user's consent, sent IMEI and IMSI numbers, product IDs, model, partner, language, country and user IDs. Most worrying of all was the ability for the rogue applications to download code and run it.
Google has since removed the offending applications from the Android Market, but only after they had been downloaded 50,000 to 250,000 times in the past four days. Google also automatically removed the offending applications from Android devices remotely, however given that the applications can download code, there's no word on whether Google can completely remove that downloaded malware remotely.
The ability to 'sideload' code is an embarrassment for Google and that makes a mockery of its so-called sandboxing of Android applications that run as byte-code under its Dalvik regime, which Google claims is similar to but not derived from Java.
Given that the firm does not pre-approve applications prior to their appearance on the Android Market, a move that Google says encourages innovation, the onus is on Google to make sure that Android's internal security is up to scratch. But, with the discovery of these Android malware applications, the giant search engine, ad broker and software development firm has seemingly failed both spectacularly and catastrophically.
Since Android applications are able to gain root, or administrator, access to Android devices, steal information and even remotely download and execute code without explicit user authorisation, Google might well have to step back and reassess its security architecture for its Android mobile operating system. At the very least, it might have to implement further precautions if it wants to keep its rapidly expanding Android operating system secure, along with its reputation for providing reliable, safe software.
Such vulnerabilities will not only put Android in a very bad light but they will encourage users to choose closed, proprietary software, such as that deployed by Apple and even Microsoft. While Google's open attitude toward Android is commendable, it must realise that as the number of Android devices grows, it will become a target for malware coders. It should also acknowledge that it should have designed appropriate security safeguards for users into its Android operating system from the very outset, that not to have done so was a grave security failure, and that it needs to redress and resolve that if it hopes to deserve the trust of its users.
Developers and users will have to wait and see what steps Google will take in order to secure its Android operating system against similar attacks.
Google was unavailable for comment at press time. µ
Sign up for INQbot – a weekly roundup of the best from the INQ