Tuesday, January 31, 2012

Google "failing to protect Android users"

Google has been criticised for failing to protect its growing number of Android phone and tablet users from security threats which are stealing people's information and costing them money.

Google has been the subject of criticism before for failing to vet applications distributed through the Android Market. But the problem for users is rising and while there is some advice consumers can follow there is no guarantee of avoiding malware.

Computer users have long been the target of virus attack, trojans and worms. But with the rise of ever sophisticated mobile devices, malware creators are homing in on this new user base.

Apple attempts to shield users from such threats by vetting anything that is available for the iPhone through its online store. While it has resulted in criticism of a "walled garden" concerning what is allowed to be run on Apple devices, it has arguably meant greater security for those using iPhones and other Apple devices. However some suggest it may give a false sense of security, relying on Apple to approve safe applications rather than by consensus or the individual user.

Google allows anyone to make their apps available, without it first being vetted. While it has meant greater innovation, and a wider range of applications, it has also increased the risk of downloading a malicious piece of software. Google's open approach allows users to monitor and review the apps, including analyzing the code, something not offered by Apple. While there is undoubtedly a risk, at least one security research firm, Lookout, says Android's applications are less problematic than Apple's.

But with the apparent rise in malicious applications landing on Android phones, some are calling on Google to strengthen their security procedures. Writing on the technology website ZDNet Adrian Kingsley-Hughes says that it was time Google started taking security much more seriously. It is not a new problem. Last year security firm McAfee said that malware was increasing exponentially on Android devices [ZDNet] but said there were some measures users could do to prevent being scammed.

The main piece of advice is to check the permissions and look for suspicious requests which grant access to the hardware and software components on the device, like contacts, camera and location. If something in the permissions screen does not look right, it is advised not to install that app. For example, a game or alarm clock app probably should not need to access contacts or have the ability to transmit that data from a device.

McAfee and others in the security industry also advise users only download apps from legitimate sources such as Google's Android Market. But since some of the malicious applications have been distributed through this conduit, this is not a guarantee to avoiding malware.

And despite suggestions of installing anti-virus software, some have cried foul, claiming some are less than useless. In fact there are some who have labelled those marketing Android security software as being nothing less than scammers and charlatans [ZDNet].

Indeed a report on ZDNet last year points to evidence from malware testing specialists AV-Test.org [PDF] which point to quite shocking failures in terms of anti-malware software detecting risks.

Of course this report concerns only some of the free anti-malware apps available and did not evaluate those by reputed firms McAfee or Norton, which although expensive might protect users.

It is a potential time-bomb for Android, Google and its users [ZDNet]. Android may be outselling other devices at the moment but the threat from malware could be its undoing. In fact Windows Mobile have even used the malware threat in a marketing strategy by offering Android users hit by viruses the chance to win a Windows Mobile device [ZDNet].

Many are drawn to Android because so many of the apps are free. However these apps are often funded by advertising being displayed which could itself pose a security risk [ZDNet].

The latest run of what Symantec calls Counterclank may have affected only a small number of individuals but it is further sign the situation is getting out of hand. A report this week suggests that some 5 million people might be infected by recent attacks [gmanetwork / WSJ], though there is disagreement as to whether recent 'attacks' are just 'aggressive advertising' [Guardian].

It is clear that the situation needs to be addressed and fast before bad publicity kills off what is otherwise an amazing piece of technology.

tvnewswatch, London, UK

No comments: