Android is becoming a magnet for malware creators

ONCE CONFINED to Chinese and Russian mobile forums, Android malware is now finding its way onto Google's Android Market. It is becoming increasingly dangerous and there's no end in sight.

According to security researchers at Lookout, just last Friday Google removed four apps from the Android Market because they bundled a version of the 'Droid dream Light' Android Trojan.

The first version of this threat was discovered back in March and a more simplified variant appeared in June. In all three cases, the author spread it on the Android Market by repackaging legitimate applications together with the Trojan.

Google has proven itself capable of responding quickly to abuse reports, but this reactive approach will not help prevent attacks. Compared to Apple's App Store, the Android Market has fewer restrictions and the app publishing process is mostly automated.

This model might be friendlier for developers and save Google resources but at the same time it's putting users at risk. And things are only going to get worse with malware becoming more criminally oriented.

For example, security researchers from Fortinet warned a few days ago of a Zeus component that targets Android users. Zeus is one of the oldest and most successful banking Trojans in existence, having been used to steal money from the bank accounts of users and companies alike for years.

Banks are wising up to it and are increasingly adopting multi-factor authentication methods. Some online systems now require each transaction to be confirmed by typing a unique code sent by SMS to the account owner's mobile phone.

In order to capture these codes, known as mobile transaction authentication numbers (mTANs), Zeus gangs have created mobile malware that spies on the victim's SMS messages. Such Trojans are available for all mobile operating systems, including Android.

While 'Trojanizing' apps is currently the most common method of infecting users on the Android operating system, security researchers expect other techniques that require less user interaction to gain ground.

"Trusteer has just released figures predicting that within 12 to 24 months over 1 in 20 (5.6 [per cent]) of all Android phones and iPads/iPhones could become infected by Mobile malware if fraudsters start integrating zero-day mobile vulnerabilities into leading exploit kits," warns Trusteer CEO Mickey Boodaei.

Without counting Iphones and Ipads into the equation, the expectations for Android are probably much worse, because, when it comes to security updates, Google's mobile operating system is extremely fragmented.

Apple delivers security updates directly and the majority of its customers are running the latest IOS version. However, with Android, patches are first made available to manufacturers who then apply them to their own Android builds and deliver them with the help of carriers. This operation can take months; not to mention that support for Android phones is dropped very quickly.

Android might be growing to become the king of mobile operating systems, but it can also turn into a security nightmare if Google doesn't take proactive steps to remove these attack vectors and fix its shortcomings as quickly as possible. µ