Google May Soon Scan Your Android Apps For Malware

An anonymous reader writes "Is Google planning on integrating an antivirus scanner into Android? A just-released Google Play store app update, as well as the company's recent acquisition of VirusTotal seem to hint that yes, Google is looking into it. 'Google yesterday started rolling out an update to its Google Play Store app: version 3.8.17 from August was bumped to version 3.9.16 in October. Android Police got its hands on the APK and posted an extensive tear down. The first change noted was the addition of new security-related artwork (exclamation icons and security shields) as well as the following strings: App Check 'Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.''"

Already installed Sophos on my phone

[Jerry Smith]

Good enough for the time being: I know my responsibilities as end-user.

Re:Already installed Sophos on my phone

[VMaN]

I'm a bit confused as to how these non google security apps are supposed to police your phone when they aren't running with escalated privileges...

Re:

[gl4ss]

I guess they just check which packages you have installed, don't need root for that.

Re:

[L4t3r4lu5]

Doesn't the play store run with escalated privileges in order to install apps?

Re:

[helix2301]

I think Google needs to start moderating apps better

Re:

[rleesBSD]

"... aren't running with escalated privileges ..." [ Or so you think. ]

You'll run into it

[Anonymous Coward]

Hmm... odd. I want to see this mythical Android virus.

Don't worry, sooner or later you'll bump into one [yahoo.com].

Re:

[poetmatt]

sophos isn't a security app. it's something you install that you believe provides security. that's actually different.

However, if you aren't installing from 3rd party app stores chances are low that there's anything of risk.

Re:

[fluffy99]

sophos isn't a security app. it's something you install that you believe provides security. that's actually different.

However, if you aren't installing from 3rd party app stores chances are low that there's anything of risk.

Except that malicious or sneaky apps have been found in the regular Google Market. Some app manufacturers are even being sued for collecting and selling your contact data (http://www.veracode.com/blog/2011/04/mobile-apps-invading-your-privacy/ as an example). Most of these are just invading your privacy in the background and not doing overt malicious things. Much of the problem stems from apps asking (and secretly using) permissions they don't need. For example does a game really need access to your co

Re:

[cbiltcliffe]

Last time I ran antivirus was 10 years ago, too, and I still run Windows.
Take your egotistical smugness and stick it where the sun doesn't shine. There's malware for every OS, including OS X. Are the OS X malware samples trojans that are installed by user choice? Sure. Exactly the same as Android.

Re:

[RocketRabbit]

There is no real malware in the wild on OS X. Every year or two a proof-of-concept trojan gets trotted out as proof that OS X is insecure, or somebody brings up the PWN2OWN competitions, but by and large there is very little to worry about security-wise on OS X.

On Windows, though, you're totally fucked by malware at every opportunity. The only way to avoid it is to unplug the internet.

Re:

[RocketRabbit]

I heard that it infected 8 computers, not 8% of the Macs out there.

Besodes, nobody thinks the Macs are immune to viruses - merely that there aren't any worth talking about.

Re:

[toriver]

I think you vastly underestimate their sales figures.

Re:

[__aaltlg1547]

It's not immune. It's just relatively safe, to the point where a typical user can run Mac OS X with no extraneous security software. I own a Mac. The MOMENT I discover that the threat level approaches 1% of what it is on Windows, I'll start looking for some decent security software. But until then, it's not worth the trouble, expense, lost processor cycles or lost brain cycles.

Re:

[BasilBrush]

Last time I ran antivirus was 10 years ago, too, and I still run Windows.

Then your PC is likely to be part of a botnet. You're probably part of the spam problem.

There's malware for every OS

There are diseases for every person. Does that mean every person is as susceptible to disease as everyone else.
Everybody makes spelling mistakes. Does that mean that everyone can spell equally?

Re:

[tuppe666]

Last time I used a virus scanner: 10 years ago when I abandoned Windows for OSX.

Android is the Windows of mobile phones. More so than Windows Phone is!

No Android is the Android of mobile phones, and seems to be proactive in keeping the platform clean. First we had Bouncer and now this. I suspect Apple is not so studious with its liberated phones. Apple has had virus on those since 2009 I notice.

Re:

[tepples]

BasilBrush will probably say that Google isn't being proactive enough as long as it lets apps onto Google Play Store that haven't been vetted by a person.

Re:

[BasilBrush]

Reacting to the deluge of malware on Android by coming out with virus checkers is not being proactive. By definition it's being "reactive".

Apple has had virus on those since 2009 I notice.

iOS has never had a virus.

Re:

[dudpixel]

Reacting to the deluge of malware on Android by coming out with virus checkers is not being proactive. By definition it's being "reactive".

Apple has had virus on those since 2009 I notice.

iOS has never had a virus.

Sorry to be pedantic, but I think you mean "the App store". iOS has certainly had virii. I could write one myself if I wanted to.

Re:

[BasilBrush]

No, I meant iOS. And no you couldn't.

Re:

[dudpixel]

probably depends on your definition of "virus".

If you mean one that replicates to other handsets, then I guess Android hasn't had one either.

All I'm saying is that anyone can download XCode for free and write a malicious app and then install it on their iPhone. I'd be willing to be this has been done more than once, which is all that is required to disprove "never".

You seriously cannot mean that no one ever has written a virus for iOS (you used different wording, but if this is not what you meant then what

Re:

[BasilBrush]

probably depends on your definition of "virus".

http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]

All I'm saying is that anyone can download XCode for free and write a malicious app and then install it on their iPhone.

Which wouldn't be a virus. Nor would it be a malicious app, it'd be an app that did exactly what you intended it to do, on your own phone.

You have no way of running it on anyone else's iPhone unless they register it as a development device, or you get hold of the phone, get past any PIN set, and register it. And then manually install the app. And then the app has no way of running, unless the user manually runs it. And it has no way of in the background to do mal

Re:

[JackAxe]

Last time I had a virus, it was back in 1998 on my Beige G3 Mac tower running System 8. It was the sparkle virus that took advantage of Quicktime's newly added auto-run feature. I got it from the work computers.

I've not had a virus since then on my Macs, PCs, nor any of my Android phones or tablets. The same goes for my wife. It's called common sense when it comes to computing.

As far as Android being Windows... It is in the sense of being open, very flexible, and offering some of niceties that a des

Slow?

[SuperMooCow]

Does this mean that Android phones are now going to be slower?

Re:

[metalmaster]

I'd imagine this will work like a few of the download managers that scan files before executing them.

Re:

[BasilBrush]

Doubt it. Google Play can scan the apps at the server end. And this string suggests it's looking for bad behaviour when the app runs:

"App Check 'Allow Google to check all apps installed to this device for harmful behavior? To learn more, go to Settings > Security.''"

Re:

[Kurrel]

Would they also check for, say, a Google Play paid app that had been cracked and manually installed? That fits some definition of malware.

Re:

[__aaltlg1547]

Honestly, that deserves a warning. You aren't running the standard version of the app and Google has no way of knowing that whoever cracked the app didn't add some malware.

Re:

[Anonymous Coward]

It wouldn't be slower if they built it with VISUAL STUDIO (tm)

Re:

[SuperMooCow]

Or with GAMEMAKER!

Sorry, I couldn't resist!

samsung or dambfunk

[epSos-de]

AM I the only one who just wants to communicate without all the trouble. Smart phones brought us the troubles of having too much.

Re:

[thegarbz]

Communicate? I agree. Though I am happy now to not carry dumbphone, PDA, MP3 player, GPS and camera all in my pants.

I used to wear big baggy pants to hold my tech in. Now it's skinny jeans, hipster glasses, and a shiny glass one does it all device.

Play MP3s on your PDA

[tepples]

I am happy now to not carry dumbphone, PDA, MP3 player, GPS and camera all in my pants.

Since when did PDA and MP3 player need to be separate? When smartphones allegedly took over from PDAs, PDAs had already gained multimedia playback. For example, the Archos 43 Internet Tablet, an Android-powered PDA, could play music and video and had a basic camera. Samsung would later introduce its own PDA, the Galaxy Player, that also included a GPS. So someone trying to save money on his cell phone bill need carry only two devices: a dumbphone and a PDA that doubles as a digital audio player, GPS, and ca

Re:

[thegarbz]

How is that saving money? You end up with a PDA with no connectivity unless you get a dataplan anyway. If you can afford a PDA with all those features you can afford a smartphone. Take that smart phone and put it on a cheap prepaid plan with very little data and you will break even and have one less device in your pocket.

As for the premise of a PDA and MP3 player needing to be separate, why should the phone need to be?

Extra $360 per year

[tepples]

You end up with a PDA with no connectivity

It has connectivity at any Wi-Fi AP whose key is published. This includes home, work, and restaurants, just not the bus.

Take that smart phone and put it on a cheap prepaid plan with very little data

Virgin Mobile USA has dumbphones with $5/mo "payLo" plans and smartphones with $35/mo "Beyond Talk" plans. Someone not yet ready to spring for that extra $360 per year might be willing to carry two devices.

Don't scan my phone, scan your store.

[cimmerian]

Instead of scanning the apps that I choose to install on my phone, why not just scan the apps they allow on their Play Store? Then, if people choose to install applications outside of the store, it'll be at their own risk. Also, scanning the app ONCE on their store makes more sense than redundantly scanning it millions of times on each users phone.

Re:

[ThatsMyNick]

What makes you think they dont already do that? They would be pretty stupid not to do that.

Re:

[monkeyhybrid]

They already do that. Bouncer [blogspot.co.uk] scans all apps in the Google Play store for malicious software for known malware, spyware and trojans and also for behavior that may indicate an application is up to no good. It supposedly led to a 40% decrease in malware within the first few months of them running it.

I presume the scanner they are integrating within the Play store client app is aimed at doing the same but with the benefit of also checking apps downloaded from other markets and sources.

Re:

[Nerdfest]

Scanning your phone would help out everyone using the OS, including people using other stores like Amazon's, or installing apps directly.

Re:

[fluffy99]

They already do that. Bouncer [blogspot.co.uk] scans all apps in the Google Play store for malicious software for known malware, spyware and trojans and also for behavior that may indicate an application is up to no good. It supposedly led to a 40% decrease in malware within the first few months of them running it.

I presume the scanner they are integrating within the Play store client app is aimed at doing the same but with the benefit of also checking apps downloaded from other markets and sources.

Exactly. It's been shown that the majority of malicious apps are loaded from outside of the Google store, so this is an attempt to protect users who are using other sources. Google is taking a reputation hit, even though they aren't serving up the malicious apps.

Bouncer is more like traditional antivirus, looking for specific known signatures and looking harder at apps that are requesting unusually high privileges. Most windows antivirus software has the ability to monitor and report suspicious activity

Re:

[alen]

But then the phones won't need more ram than a server and quad core cpu's and the techtards won't be able to cream their pants dreaming of specs

Good move.

[csumpi]

I think this is a good move. Instead of locking everyone into a single store, google can keep users free and safe.

If only microsoft would've done the same two decades ago.

Re:

[Nerdfest]

It wouldn't have helped. The 'scanning' model is reactive most the most part, and you need to discover the malware before you can scan for it. Microsoft's biggest problem was no interest in security and a bad security model. Google's problem is that people don't read the permissions they're giving to the apps they install. (It's not Google's fault as such, but it is their problem).

Re:

[Dog-Cow]

NT's security model is excellent. It just took MS a while to start enforcing its usage.

Re:

[JDG1980]

NT's security model is excellent. It just took MS a while to start enforcing its usage.

The NT security model is competitive with the Unix security model. But both of these models are out of date. Their fundamental flaw is that the program inherits the user's permission. That may have made sense in the 1970s on Unix when programs were a lot simpler, users were all reasonably experienced, and there was no such thing as downloading an .exe from the Internet. But it makes no sense now.

UAC has been successful

Re:

[Legion303]

"This at least opens the possibility that an alert user might notice malware asking for rights that it shouldn't need to have to fulfill its ostensible purpose."

Like Angry Birds needing location info, for instance.

Re:

[marcello_dl]

IMHO the android model of "give the requested privileges up or the app won't install" is far from ideal (from the POV of the user).

I should be able to download an app, run it in a unionfs- aufs- chroot with default or bogus values for contacts, email, and so on.
App developers are running the app on MY cellphone, so ME and not you, nor Google, decide what data you should be allowed to extract.

If only smartphones were not marketed to spy on the buyer instead of working for him :)

Re:

[Clifton Beach]

It's not Google's fault as such, but it is their problem

Yes it is Google's fault for implementing a take-it-or-leave-it approach to permissions. Eg if I install a flashlight app, I should be able to agree to permission to keep the device awake, but not to access my location and SD card or have full internet access.

Re:

[BasilBrush]

Subtle. Very subtle. For those who don't remember, MS-DOS v6.0 shipped with Microsoft AV 20 years ago. Clearly it didn't keep people safe from viruses.

I've often said Android is the Windows of the phone world. Maybe it's worse...

Re:

[tuppe666]

Subtle. Very subtle. For those who don't remember, MS-DOS v6.0 shipped with Microsoft AV 20 years ago. Clearly it didn't keep people safe from viruses.

I've often said Android is the Windows of the phone world. Maybe it's worse...

Hi Apple user :) You are aware that this is simply an extra layer of protection. Does your precious apple offer this functionality especially for those people who have chosen to bypass Apples overreaching limitations.

Re:

[BasilBrush]

Hi Apple user :) You are aware that this is simply an extra layer of protection.

I'm happy it's one the iPhone doesn't require. Who wants a phone that requires a virus checker?

Re:

[tuppe666]

I'm happy it's one the iPhone doesn't require. Who wants a phone that requires a virus checker?

I personally want a secure phone.

"A Russian-language app called Find and Call, which was available in both the Apple App Store and Google Play, has been discovered to be the cause of the bug, Wired reported. Kasperksy antivirus experts were responsible for finding the culprit, which is essentially a Trojan that steals and uploads the user's address book to a remote server."

Re:

[BasilBrush]

The thing is that the only way to catch a trojan like that is for a human to identify it as such, and then do something to combat it. There are after all apps that legitimately upload the users contacts. The only way to distinguish the good app doing what's intended from the trojan is to apply human intelligence.

The virus checker needs a person to decide it's malware, and add the signature to a database, for the user to get that updated database, and then scan the apps.

Apple needs a person to decide it's ma

Re:

[timmyf2371]

If only microsoft would've done the same two decades ago.

If Microsoft had done the same two decades ago, we'd have accused them of monopoly abuse.

Viruses are not the issue

[Skapare]

The real issue is apps with malicious design intentions ... like ones that track your activity for advertising.

Re:

[Anonymous Coward]

Tracking what I like or don't like is idea since I don't care about viagra or sports cars. So I would much rather get an advertisement telling me to go buy a family guy dvd box set or an anime that I like than stuff I don't like. What I don't like is how some applications will advertise and run in the background of your phone. It's annoying to get a notification every 10 minutes about an advertisement but thankfully Ad Network Detector is pretty decent at find out what does that. Read reviews before you ins

Re:

[causality]

Target advertising isn't necessarily a bad thing unless the government gets involved.

They usually do that after the company has built up a nice, big, robust, relevant database full of information that the government would have had difficulty obtaining on its own.

Plenty of real criminals have been caught with the aid of data that Google had collected about them. This saves the cops some of the effort of doing real police work. The problem is, the same techniques could be used against "undesirables" as well.

Not to mention, the very idea that I need someone else to tell me what I want

Re:

[Mr. Slippery]

Tracking what I like or don't like is idea since I don't care about viagra or sports cars. So I would much rather get an advertisement telling me to go buy a family guy dvd box set or an anime that I like than stuff I don't like.

This attitude continues to astound me. "I would like marketers to know more about me, so that they can use more effective mind control techniques to influence my purchasing behavior."

Re:

[denis-The-menace]

I've seen games that NEED access to SMS text, your contacts, pictures, GPS, etc. (e.g. Tetris that needs Internet access)

What Android really needs is both a way to block permissions WITHOUT rooting *and* someone with a brain that stops these things from making it in the store in the first place.

Will it happen? HELL NO.
Your lack of privacy is WAY to profitable.

Re:

[Clsid]

The real issue is apps with malicious design intentions ... like ones that track your activity for advertising.

Pretty much like Google right? I bet that they wouldn't mind to report back to HQ to see what people are using on their phones when they don't use the Play Store.

Re:

[tuppe666]

Maybe now that Android is a big market player and is threatened by malware it will finally shut up Linux zealots who claim Linux doesn't get viruses.

No most Linux[sic] users think Linux refers to the kernel, of the OS, but use it as a generic name for *Linux based Distributions" A sort a collection of programs, but contains things like a graphical desktop[ie Gnome] , and famously GNU tools userland? collectively I think we would define it as Desktop Linux. Understand this has NOTHING to do with Android other than they share a common kernel which benefits both of them.

Most Linux users except that its impossible to get viruses, just that its improbable, a

RMS was right about calling it "GNU/Linux"

[tepples]

No most Linux[sic] users think Linux refers to the kernel, of the OS, but use it as a generic name for *Linux based Distributions"

Which means RMS was right about calling it "GNU/Linux". Unlike Linux distributions typically installed on a laptop, desktop, or server, Android contains little if any software produced by the GNU project. For example, it uses Google Bionic instead of glibc. Embedded Linux systems likewise tend to replace GNU software, such as replacing glibc with lighter weight Newlib or uClibc.

Re:

[tuppe666]

No most Linux[sic] users think Linux refers to the kernel, of the OS, but use it as a generic name for *Linux based Distributions"

Which means RMS was right about calling it "GNU/Linux". Unlike Linux distributions typically installed on a laptop, desktop, or server, Android contains little if any software produced by the GNU project. For example, it uses Google Bionic instead of glibc. Embedded Linux systems likewise tend to replace GNU software, such as replacing glibc with lighter weight Newlib or uClibc.

RMS was right then...but that was then and this is now RMS lost the PR battle, Linus acted better over the whole thing and Linus lets face created a hell of a product, that you can comfortable argue is a Jewel in the Open Source World. That said I owe my Desktop Linux experience to X; Gnome; Firefox and LibreOffice but it could just as easily B Wayland; KDE; Chromium and Calligra.

Personally I always liked Hurd...because it means group, but I don't really care. The original post was trying to imply Desktop

Approval process

[eWarz]

I had always assumed that there was an approval process that looked for this type of stuff. I guess i was wrong?

All sorts of fail

[thetoadwarrior]

Mobile phones should not require software like Norton anti-virus so Android's already failed there. But i don't think this tackles a bigger concern. A lot of apps ask for too many permissions and user's data is taken. You should be able to manage individual permissions, At a guess Google isn't going to do anything about that.

Re:

[Richard_J_N]

You already can revoke permissions (in cyanogen at least), but it usually breaks the app. What we actually need is to be able to sandbox the app, and grant permissions only to "fake" data. Eg the app can have my phone number (but not the true one), or my position (but be hardcoded where I put it), or access the internet (but always get faked 404s), etc.

And Ads!

[CuteSteveJobs]

The Google Play store does not say whether or not a 'free' app contains ads - especially the distracting blinking banner ads. It's fine for developers to do this and users may accept it rather than buying the app, but developers should disclose it up front. I get sick of downloading apps only to delete them. Plus many 'free' apps want access to your phone state, so they can see your phone number, who you call, and when you call them. Sneaky:

And take the children's drawing game which server up adult ads
Hannah-Siobhan - September 13, 2012 - Good basic game. Shame for the adverts my kids can click on, needs to have a lock screen option.
kristen - September 29, 2012 - Not kid friendly ads - Good time waster for kids, but the ads contain mature content, I saw buttocks yesterday...
Laura - September 19, 2012 - Version 4.0.1 - Disappointed - They show poor judgement with their advertising. With inappropriate pictures I cannot let my children use this app.
https://play.google.com/store/apps/details?id=virtualgs.kidspaint [google.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Aryden]

Why? Attempting to make your shit safer is a bad thing?

Re:

[Nerdfest]

The model Android uses is the same as Linux. You can use a trusted respository (of your choice), or install things manually. The only question is the level of trust and how deeply apps in the repositories are reviewed. It's a great model and gives you choice. I do think Google or someone else should provide a more carefully reviewed repository, but that can still happen. Even with that, and with the completely locked down iOS model though, things will sneak through. Exploits will be found through the browse

Re:Except that the trusted rep is the source ....

[Nerdfest]

No, it's not. The vast majority of malware for Android (of which there's really not that much) is from alternative Chinese markets that carry copies apps.

Re:

[Beardo the Bearded]

That's why I used a counterfeit card to buy my phone and gave it a fake name.

Re:

[Anonymous Coward]

Bingo. The weakness is that an app maker can make a new program, tack a bunch of fake reviews to get 1000+ five stars, then push a malicious app out. Most users don't really pay attention to what an app is asking for permission-wise.

I really wish Google would split their store into two tiers, where there is the existing Google Play setup, as well as a setup that adheres to a rigid set of rules. If a developer does not want to play with the guidelines, don't have to, the app just won't be in the vetted ti

Amazon Appstore

[tepples]

I really wish Google would split their store into two tiers, where there is the existing Google Play setup, as well as a setup that adheres to a rigid set of rules. If a developer does not want to play with the guidelines, don't have to, the app just won't be in the vetted tier.

I was under the impression that Amazon had created its own more vetted tier in the Amazon Appstore.

Re:

[R3d M3rcury]

The question is: Can [forbes.com] you [techrepublic.com] trust [mobility.com.ng] the source [readwriteweb.com]?

Percentage

[tepples]

The argument of BasilBrush and other fans of forced curation, as I understand it, is that the percentage of not-yet-detected malware is far higher in Google Play Store than in the iOS App Store.

PPAs Ubuntu

[tepples]

Prevention is better than cure.

And how the fuck does the act of being an iPhone do THAT?

Trusted software from a known source. Bit like a Linux distro ;)

Ubuntu makes it easy for end users to install third-party repositories called Personal Package Archives [launchpad.net]. I've been told that sufficiently large companies can run the equivalent of a PPA for iOS, but only by paying Apple a recurring fee for an enterprise developer license, and then only for access by the company's employees.

Re:

[milkmage]

apps are vetted before they hit the store.. has nothing to do with the hardware.

Re:

[__aaltlg1547]

The concept of software freedom is lost on you, isn't it?

It's your device. You should be able to have complete control of the software that runs on it. So "allowing bad stuff to happen" is what software providers SHOULD do, unless you specifically opt to have the software provider manage your device for you.

IMO, that's a legitimate option and appropriate for most users. Even Stallman might agree with that. But they shouldn't attempt to control what you have if you don't opt to have them control your m

Re:

[TrancePhreak]

That's why Apple let all those apps upload your contact info to the internet.

Re:

[Admiral Valdemar]

Right. Which wasn't a) an endemic problem as with Android, b) an issue any more thanks to the privacy measures now in iOS. And I still don't need to run anti-virus on my mobile.

LoJack != malware

[tepples]

no really what if i want to put it there

Internet service providers don't want customers who want malware.

so that when you come to mess with my phone ill screw you large and then know whom stole my phone or messed with it

As long as it's under the control of the device's owner, a LoJack style application is not malware.

Re:

[causality]

This was an entertaining post and an amusing break from all of the argument about Google vs. Apple.

It should be +5 Funny. If that isn't what the author intended, tell him that's tough titty: it should still be +5 Funny.