Forgot your password?
typodupeerror
Google Android Security

Google May Soon Scan Your Android Apps For Malware 124

Posted by Soulskill
from the because-you're-clearly-not-capable dept.
An anonymous reader writes "Is Google planning on integrating an antivirus scanner into Android? A just-released Google Play store app update, as well as the company's recent acquisition of VirusTotal seem to hint that yes, Google is looking into it. 'Google yesterday started rolling out an update to its Google Play Store app: version 3.8.17 from August was bumped to version 3.9.16 in October. Android Police got its hands on the APK and posted an extensive tear down. The first change noted was the addition of new security-related artwork (exclamation icons and security shields) as well as the following strings: App Check 'Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.''"
This discussion has been archived. No new comments can be posted.

Google May Soon Scan Your Android Apps For Malware

Comments Filter:
  • Good enough for the time being: I know my responsibilities as end-user.

    • by VMaN (164134) on Saturday October 13, 2012 @05:20PM (#41644749) Homepage

      I'm a bit confused as to how these non google security apps are supposed to police your phone when they aren't running with escalated privileges...

    • by poetmatt (793785)

      sophos isn't a security app. it's something you install that you believe provides security. that's actually different.

      However, if you aren't installing from 3rd party app stores chances are low that there's anything of risk.

      • by fluffy99 (870997)

        sophos isn't a security app. it's something you install that you believe provides security. that's actually different.

        However, if you aren't installing from 3rd party app stores chances are low that there's anything of risk.

        Except that malicious or sneaky apps have been found in the regular Google Market. Some app manufacturers are even being sued for collecting and selling your contact data (http://www.veracode.com/blog/2011/04/mobile-apps-invading-your-privacy/ as an example). Most of these are just invading your privacy in the background and not doing overt malicious things. Much of the problem stems from apps asking (and secretly using) permissions they don't need. For example does a game really need access to your co

  • Does this mean that Android phones are now going to be slower?

    • I'd imagine this will work like a few of the download managers that scan files before executing them.
      • Doubt it. Google Play can scan the apps at the server end. And this string suggests it's looking for bad behaviour when the app runs:

        "App Check 'Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.''"

        • by Kurrel (1213064)
          Would they also check for, say, a Google Play paid app that had been cracked and manually installed? That fits some definition of malware.
          • by Shavano (2541114)
            Honestly, that deserves a warning. You aren't running the standard version of the app and Google has no way of knowing that whoever cracked the app didn't add some malware.
    • by Anonymous Coward

      It wouldn't be slower if they built it with VISUAL STUDIO (tm)

  • by epSos-de (2741969)
    AM I the only one who just wants to communicate without all the trouble. Smart phones brought us the troubles of having too much.
    • by thegarbz (1787294)

      Communicate? I agree. Though I am happy now to not carry dumbphone, PDA, MP3 player, GPS and camera all in my pants.

      I used to wear big baggy pants to hold my tech in. Now it's skinny jeans, hipster glasses, and a shiny glass one does it all device.

      • I am happy now to not carry dumbphone, PDA, MP3 player, GPS and camera all in my pants.

        Since when did PDA and MP3 player need to be separate? When smartphones allegedly took over from PDAs, PDAs had already gained multimedia playback. For example, the Archos 43 Internet Tablet, an Android-powered PDA, could play music and video and had a basic camera. Samsung would later introduce its own PDA, the Galaxy Player, that also included a GPS. So someone trying to save money on his cell phone bill need carry only two devices: a dumbphone and a PDA that doubles as a digital audio player, GPS, and ca

        • by thegarbz (1787294)

          How is that saving money? You end up with a PDA with no connectivity unless you get a dataplan anyway. If you can afford a PDA with all those features you can afford a smartphone. Take that smart phone and put it on a cheap prepaid plan with very little data and you will break even and have one less device in your pocket.

          As for the premise of a PDA and MP3 player needing to be separate, why should the phone need to be?

          • You end up with a PDA with no connectivity

            It has connectivity at any Wi-Fi AP whose key is published. This includes home, work, and restaurants, just not the bus.

            Take that smart phone and put it on a cheap prepaid plan with very little data

            Virgin Mobile USA has dumbphones with $5/mo "payLo" plans and smartphones with $35/mo "Beyond Talk" plans. Someone not yet ready to spring for that extra $360 per year might be willing to carry two devices.

  • by cimmerian (59932) on Saturday October 13, 2012 @06:02PM (#41645103) Homepage

    Instead of scanning the apps that I choose to install on my phone, why not just scan the apps they allow on their Play Store? Then, if people choose to install applications outside of the store, it'll be at their own risk. Also, scanning the app ONCE on their store makes more sense than redundantly scanning it millions of times on each users phone.

    • What makes you think they dont already do that? They would be pretty stupid not to do that.

    • They already do that. Bouncer [blogspot.co.uk] scans all apps in the Google Play store for malicious software for known malware, spyware and trojans and also for behavior that may indicate an application is up to no good. It supposedly led to a 40% decrease in malware within the first few months of them running it.

      I presume the scanner they are integrating within the Play store client app is aimed at doing the same but with the benefit of also checking apps downloaded from other markets and sources.

      • by Nerdfest (867930)

        Scanning your phone would help out everyone using the OS, including people using other stores like Amazon's, or installing apps directly.

      • by fluffy99 (870997)

        They already do that. Bouncer [blogspot.co.uk] scans all apps in the Google Play store for malicious software for known malware, spyware and trojans and also for behavior that may indicate an application is up to no good. It supposedly led to a 40% decrease in malware within the first few months of them running it.

        I presume the scanner they are integrating within the Play store client app is aimed at doing the same but with the benefit of also checking apps downloaded from other markets and sources.

        Exactly. It's been shown that the majority of malicious apps are loaded from outside of the Google store, so this is an attempt to protect users who are using other sources. Google is taking a reputation hit, even though they aren't serving up the malicious apps.

        Bouncer is more like traditional antivirus, looking for specific known signatures and looking harder at apps that are requesting unusually high privileges. Most windows antivirus software has the ability to monitor and report suspicious activity

    • by alen (225700)

      But then the phones won't need more ram than a server and quad core cpu's and the techtards won't be able to cream their pants dreaming of specs

  • by csumpi (2258986) on Saturday October 13, 2012 @06:23PM (#41645245)
    I think this is a good move. Instead of locking everyone into a single store, google can keep users free and safe.

    If only microsoft would've done the same two decades ago.
    • by Nerdfest (867930)

      It wouldn't have helped. The 'scanning' model is reactive most the most part, and you need to discover the malware before you can scan for it. Microsoft's biggest problem was no interest in security and a bad security model. Google's problem is that people don't read the permissions they're giving to the apps they install. (It's not Google's fault as such, but it is their problem).

      • by Dog-Cow (21281)

        NT's security model is excellent. It just took MS a while to start enforcing its usage.

        • by JDG1980 (2438906)

          NT's security model is excellent. It just took MS a while to start enforcing its usage.

          The NT security model is competitive with the Unix security model. But both of these models are out of date. Their fundamental flaw is that the program inherits the user's permission. That may have made sense in the 1970s on Unix when programs were a lot simpler, users were all reasonably experienced, and there was no such thing as downloading an .exe from the Internet. But it makes no sense now.

          UAC has been successful

          • by Legion303 (97901)

            "This at least opens the possibility that an alert user might notice malware asking for rights that it shouldn't need to have to fulfill its ostensible purpose."

            Like Angry Birds needing location info, for instance.

          • IMHO the android model of "give the requested privileges up or the app won't install" is far from ideal (from the POV of the user).

            I should be able to download an app, run it in a unionfs- aufs- chroot with default or bogus values for contacts, email, and so on.
            App developers are running the app on MY cellphone, so ME and not you, nor Google, decide what data you should be allowed to extract.

            If only smartphones were not marketed to spy on the buyer instead of working for him :)

      • It's not Google's fault as such, but it is their problem

        Yes it is Google's fault for implementing a take-it-or-leave-it approach to permissions. Eg if I install a flashlight app, I should be able to agree to permission to keep the device awake, but not to access my location and SD card or have full internet access.

    • Subtle. Very subtle. For those who don't remember, MS-DOS v6.0 shipped with Microsoft AV 20 years ago. Clearly it didn't keep people safe from viruses.

      I've often said Android is the Windows of the phone world. Maybe it's worse...

      • by tuppe666 (904118)

        Subtle. Very subtle. For those who don't remember, MS-DOS v6.0 shipped with Microsoft AV 20 years ago. Clearly it didn't keep people safe from viruses.

        I've often said Android is the Windows of the phone world. Maybe it's worse...

        Hi Apple user :) You are aware that this is simply an extra layer of protection. Does your precious apple offer this functionality especially for those people who have chosen to bypass Apples overreaching limitations.

        • Hi Apple user :) You are aware that this is simply an extra layer of protection.

          I'm happy it's one the iPhone doesn't require. Who wants a phone that requires a virus checker?

          • by tuppe666 (904118)

            I'm happy it's one the iPhone doesn't require. Who wants a phone that requires a virus checker?

            I personally want a secure phone.

            "A Russian-language app called Find and Call, which was available in both the Apple App Store and Google Play, has been discovered to be the cause of the bug, Wired reported. Kasperksy antivirus experts were responsible for finding the culprit, which is essentially a Trojan that steals and uploads the user's address book to a remote server."

            • The thing is that the only way to catch a trojan like that is for a human to identify it as such, and then do something to combat it. There are after all apps that legitimately upload the users contacts. The only way to distinguish the good app doing what's intended from the trojan is to apply human intelligence.

              The virus checker needs a person to decide it's malware, and add the signature to a database, for the user to get that updated database, and then scan the apps.

              Apple needs a person to decide it's ma

    • If only microsoft would've done the same two decades ago.

      If Microsoft had done the same two decades ago, we'd have accused them of monopoly abuse.

  • by Skapare (16644) on Saturday October 13, 2012 @07:31PM (#41645741) Homepage

    The real issue is apps with malicious design intentions ... like ones that track your activity for advertising.

    • by Anonymous Coward

      Tracking what I like or don't like is idea since I don't care about viagra or sports cars. So I would much rather get an advertisement telling me to go buy a family guy dvd box set or an anime that I like than stuff I don't like. What I don't like is how some applications will advertise and run in the background of your phone. It's annoying to get a notification every 10 minutes about an advertisement but thankfully Ad Network Detector is pretty decent at find out what does that. Read reviews before you ins

      • by causality (777677)

        Target advertising isn't necessarily a bad thing unless the government gets involved.

        They usually do that after the company has built up a nice, big, robust, relevant database full of information that the government would have had difficulty obtaining on its own.

        Plenty of real criminals have been caught with the aid of data that Google had collected about them. This saves the cops some of the effort of doing real police work. The problem is, the same techniques could be used against "undesirables" as well.

        Not to mention, the very idea that I need someone else to tell me what I want

      • Tracking what I like or don't like is idea since I don't care about viagra or sports cars. So I would much rather get an advertisement telling me to go buy a family guy dvd box set or an anime that I like than stuff I don't like.

        This attitude continues to astound me. "I would like marketers to know more about me, so that they can use more effective mind control techniques to influence my purchasing behavior."

    • I've seen games that NEED access to SMS text, your contacts, pictures, GPS, etc. (e.g. Tetris that needs Internet access)

      What Android really needs is both a way to block permissions WITHOUT rooting *and* someone with a brain that stops these things from making it in the store in the first place.

      Will it happen? HELL NO.
      Your lack of privacy is WAY to profitable.

    • by Clsid (564627)

      The real issue is apps with malicious design intentions ... like ones that track your activity for advertising.

      Pretty much like Google right? I bet that they wouldn't mind to report back to HQ to see what people are using on their phones when they don't use the Play Store.

  • I had always assumed that there was an approval process that looked for this type of stuff. I guess i was wrong?
  • Mobile phones should not require software like Norton anti-virus so Android's already failed there. But i don't think this tackles a bigger concern. A lot of apps ask for too many permissions and user's data is taken. You should be able to manage individual permissions, At a guess Google isn't going to do anything about that.
    • You already can revoke permissions (in cyanogen at least), but it usually breaks the app. What we actually need is to be able to sandbox the app, and grant permissions only to "fake" data. Eg the app can have my phone number (but not the true one), or my position (but be hardcoded where I put it), or access the internet (but always get faked 404s), etc.

  • by CuteSteveJobs (1343851) on Sunday October 14, 2012 @05:14AM (#41648149)
    The Google Play store does not say whether or not a 'free' app contains ads - especially the distracting blinking banner ads. It's fine for developers to do this and users may accept it rather than buying the app, but developers should disclose it up front. I get sick of downloading apps only to delete them. Plus many 'free' apps want access to your phone state, so they can see your phone number, who you call, and when you call them. Sneaky:

    And take the children's drawing game which server up adult ads
    Hannah-Siobhan - September 13, 2012 - Good basic game. Shame for the adverts my kids can click on, needs to have a lock screen option.
    kristen - September 29, 2012 - Not kid friendly ads - Good time waster for kids, but the ads contain mature content, I saw buttocks yesterday...
    Laura - September 19, 2012 - Version 4.0.1 - Disappointed - They show poor judgement with their advertising. With inappropriate pictures I cannot let my children use this app.
    https://play.google.com/store/apps/details?id=virtualgs.kidspaint [google.com]
  • Oblig Doonesbury strip, Oct 14, 2012: http://www.gocomics.com/doonesbury [gocomics.com]

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...