Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

New Google Play policy to thwart bait and switch malware on Android

Android is the home of mobile malware, with 99% all mobile malware targeting the Google operating system. The primary reason for this is Google’s ‘open’ policy; or more specifically, its allowance of side-loading (the installation of apps from non-official sources). The company tries to ensure that apps via the official Google Play Store are malware free – but there is a bait and switch loophole.

Clean apps can be submitted and accepted by Play (the bait); but updates can then be side-loaded direct from the developer (the switch). Those updates have no protection from Google. If the developer had dubious intent from the outset, or if he has subsequently been compromised, then malware or spyware can be installed.

That loophole was closed Friday by the simple addition of one sentence to the Google Play Developer Program Policies. At the end of the section titled Dangerous Products is the addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism.” It places greater onus on Google spotting and preventing malware; but makes it much harder for bad actors to get in via the side-loading side door.

There has been some suspicion that this is primarily directed at the expected Facebook Home app; and there is certainly little love lost between perhaps the world’s two biggest software rivals. “The change does appear to be aimed at Facebook,” suggests The Register, “which in March began testing a version of its Android app that can download security fixes and feature updates automatically in the background, via a ‘silent update’ feature.” 

It may well be that Facebook’s behavior was the final straw, when the company ‘secretly’ experimented with the silent updates. “Facebook started updating their APK and code with no explicit permission from the user,” reported TechnoBloom yesterday, “which was both alarming and irritating since they were not prepared for the battery consumption and the data consumption caused by the hidden updates. What made this change even scarier was the fact that Facebook practically announced that this was entirely possible and completely legal.” 

Those silent updates will now not be allowed unless they first go via the Play Store.

If Facebook really is the reason for Google’s new policy, it won’t work. The policy will only apply to apps downloaded from the Play Store. Side-loaded apps are not included – so if Facebook Home is downloaded direct from Facebook, or from, say, the Amazon Appstore, ‘silent updates’ will still be possible. It is more likely that Google is genuinely attempting to evolve a more secure environment for Android – and if Facebook is caught in the cross-hairs, that’s just a happy coincidence.

What’s Hot on Infosecurity Magazine?