Tuesday, January 27, 2009

Malware on Android: It has begun

No, it's not going to be yet-another I told you so post. Though I did. :) You might have heard of the spreading of MemoryUp virus on Android-powered devices. There are numerous articles mentioning it (like this one ;), let me cite one of them from phoneArena:

"As strange as it may seem, a lot of users have complained of the MemorUp app..."

What is so strange in this? Android's security model is an open invitation to malware authors: anyone can write an application and distribute it freely on Android Market. The secret is that although every application must be signed, it's not mandatory that the certificate used for signing be certified by a Certificate Authority. In other words, you can self-sign your own application. Accountability is lost.

"We’re more worried about the fact that such a harmful application has found its way to Android Market and has stayed unnoticed until now."

That's exactly how Android Market works. I'm surprised that you're surprised. Anyone can write and freely distribute their own programs that may even be a malware. Signing ought to prevent from mass virus distribution - as long as signing certificates are certified by CAs (authors can be traced back and prevented from continuing malicious activity). Which is sadly not the case, see above.

"If it has managed to creep inside, wouldn’t there be a chance for others?"

It's not a question, I'm sure there will be more. Even though self-signed applications are limited as to what they're allowed to do, MemoryUp has showed us that this restriction is not enough.

The question is rather what could be done against this phenomenon? One option is that Google leaves it untouched: it will turn out very quickly if a program is malware or not (well, unless if it's a timed bomb). Another alternative is be stricter on what a self-signed app can do and allow only properly (i.e. CA) signed programs to act freely (after user's confirmation, of course). The strictest option would, of course, be if self-signing was not allowed at all. I'm sure you've noticed that the last two options mean that developers would need to pay for (CA) signing. Which is against the principles of Android development.

Looking forward to Google's reaction,


1 comment:

nzeyi said...

The mobile app signing policy sometimes sucks. I bought a certificate from Thawte in order to sign a Midlet but you can imagine how many devices support it .Now I suggest people to go ahead with The Java Verified or Symbian Verified programs but it still takes time to get your app signed and here you have to sign always for any update to your app.
I am not against the signing policy but they should be something secure and favorable for developers. The current policy really seems to limit open-source mobile , that's why Google came up with Android . I think most of proprietary developers are afraid of what open-source revolution can do .
I don't know how the memoryUp app looks like but I think Google knows the developer and they may be pursued in low because that's a public crime like others.
What do you think of the I am Rich App from the iPhone app store ?
That was just my point of view in these issues.

Nzeyimana Antoine
Mobile Application Developper
Pivot Access
Kigali - RWANDA