“From our analysis,” writes Symantec, “the 11 newly discovered apps are published under the name ‘Miriada Production’ and are identical to the apps published under the name ‘Logastrod’. These apps are capitalizing on popular game titles, and masquerade as these games, but in fact they just send two texts to premium-rate, local SMS numbers in the country where the SIM card is registered.”
ESET’s David Harley thinks Google should be more proactive in the security of Android apps. It should “take some responsibility for apps distributed through the Android market,” he comments, “and do some proactive checking. It’s a bit late to exercise the sort of iron control on distribution channels that Apple tries to implement, but the company can at least start checking apps and make it clear in its own PR which channels can be considered reasonably trustworthy.”
“Google could also make it more difficult to become an Android developer,” claims Graham Cluley from Sophos. “At the moment it's far too easy to publish apps straight to the Android market. As Sophos's Vanja Svajcer said, the cost of becoming a developer and being banned by Google is much lower than the money that can be earned by publishing malicious apps.”
But users should also take some personal responsibility. They should “consider whether they need to install some form of security program,” adds Harley while warning that some of the widely-used free security apps are not really very good. But even if you install security, he continues, that “doesn’t mean that you will be safe to install anything just “because you have some sort of anti-malware.”
Symantec also points out that users must choose to allow the apps’ requested permissions before they can be installed. “Understanding these permissions can help users avoid applications which make unnecessary requests.” Like outgoing SMS. Why would a game need to be able to send SMS messages, asks Cluley.
Google responded to the discovery by ‘promptly’ removing the malicious apps from the Android Market. Harley doesn’t think this is enough. Google “needs to prove it cares about its customers’ safety. ‘We’ll remove anything malicious when tens of thousands of you have reported it’ isn’t really good enough when Apple have already set a much higher standard.”
In September, ENISA, the European Network and Information Security Agency, produced a new report: Appstore security – 5 lines of defence against malware. One of the strongest recommendations was that the Appstore itself should undertake rigorous reviews of the apps it provides. Apple takes more care than Android. This is a marketing decision on both sides. Apple keeps its security close to its chest: security is one of its selling points. Android does not. Its selling point is the sheer quantity of available apps. It means, however, that Android becomes dependent on third parties, such as Symantec, to provide the app security review after the horse has left the stable.