Google Asks Three Outside Antivirus Firms To Start Scanning Submissions To Android's Play Store (arstechnica.com) 14
"Android has a bit of a malware problem," argues Wired, noting that " malware-ridden apps sneak into the official Play Store with disappointing frequency..."
"After grappling with the issue for a decade, Google is calling in some reinforcements." This week, Google announced a partnership with three antivirus firms -- ESET, Lookout, and Zimperium -- to create an App Defense Alliance. All three companies have done extensive Android malware research over the years, and have existing relationships with Google to report problems they find. But now they'll use their scanning and threat detection tools to evaluate new Google Play submissions before the apps go live -- with the goal of catching more malware before it hits the Play Store in the first place.
"On the malware side we haven't really had a way to scale as much as we've wanted to scale," says Dave Kleidermacher, Google's vice president of Android security and privacy. "What the App Defense Alliance enables us to do is take the open ecosystem approach to the next level. We can share information not just ad hoc, but really integrate engines together at a digital level, so that we can have real-time response, expand the review of these apps, and apply that to making users more protected."
"After grappling with the issue for a decade, Google is calling in some reinforcements." This week, Google announced a partnership with three antivirus firms -- ESET, Lookout, and Zimperium -- to create an App Defense Alliance. All three companies have done extensive Android malware research over the years, and have existing relationships with Google to report problems they find. But now they'll use their scanning and threat detection tools to evaluate new Google Play submissions before the apps go live -- with the goal of catching more malware before it hits the Play Store in the first place.
"On the malware side we haven't really had a way to scale as much as we've wanted to scale," says Dave Kleidermacher, Google's vice president of Android security and privacy. "What the App Defense Alliance enables us to do is take the open ecosystem approach to the next level. We can share information not just ad hoc, but really integrate engines together at a digital level, so that we can have real-time response, expand the review of these apps, and apply that to making users more protected."
Whatever happened to sandboxed apps? (Score:2)
Isn't app isolation a major appeal of these walled garden phone os?
Re: (Score:1)
Yes, and like cats they (Score:2)
iOS and Android each have their way of separating apps. And:
Apps, like cats, can still shit in the sandbox. Limiting access to the system and other apps doesn't prevent people from doing bad things. It reduces the potential effects of bad things, so long as they can't escape the bounds.
Also, many apps need access to things outside of their own private data. For example, I just installed a new gallery app, for managing photos and videos. In order to do its job, the app needs access to files it didn't creat
Dupe, so I'll dupe my suggested solution approach (Score:2)
To cure or at least slow down the problem we need to remove the fuel from the engine. Malware apps are fueled by profit. That's why they create malware. Other apps are created for various reasons, but by exposing ALL of the reasons it would make it much easier for the potential victims to avoid the malware.
Concrete suggestion: A financial model section. One section from the developer, with a second section of commentary from the google or Apple.
Or your better suggestion?
Re: (Score:1)
Re: (Score:2)
One idea would be having to prove your identity via photo ID and possibly an in-person visit or via webcam before you get to charge money or put ads on your program. Another more extreme idea would be needing to send your uncompiled program to Google who will compile it for you, and any bullshit gets your source code investigated thoroughly.
Your suggestion is confusing me to some degree. Developers are already registering, and if they are going to receive payment from the google (or via Apple), then they have to provide strong ID, too. I actually think bank account information is stronger than a simple copy of a photo ID.
However, I can say how your idea seems to apply in the context of my suggestion. If the developer of an app claims (for the financial model information) that the motivation involves money that is handled by the google, that's
Re: (Score:2)
Developers are already registering, and if they are going to receive payment from the google (or via Apple), then they have to provide strong ID, too. I actually think bank account information is stronger than a simple copy of a photo ID.
They're both pretty useless without verification of identity. Malicious developers can pay someone else to maintain a bank account, or if they have a common name, they can simply open a new account and claim to be a different person.
Re: (Score:2)
And (per the suggestion of LenKagetsu) the scammer can make a fake photo ID and send a scanned copy of that to the google (or Apple). Not sure how things work wherever you are located, but the local banks around here are pretty strict about opening up new accounts. Been a while since I've opened a new account, but I think I recall that they wanted strong ID that they could handle and examine. Probably copied it, too. I do remember trying to update some of the information on some accounts about 4 years back,
And let those obscure AV companies ... (Score:2)
... in on the data gold mine.
Dupe - dupedupe - duped (Score:2)
duuuupe
Re: (Score:2)
3 brands trusted near the ads.
Now that they are scanning?
Why only 3? (Score:2)
don't be surprised (Score:2)
your ad-delivery platform attracts malware writers.
shit attracts flies, etc
Sounds Good (Score:2)
I've paid for ESET Mobile Security for years and use it on my one remaining Windows PC. Used to be many more of them but everything else is running linux now.
Anyway, it works well. It doesn't seem to degrade performance and it has occasionally detected bad stuff. So it seems to work.
Used to use Lookout but it wasn't doing anything obvious that ESET wasn't doing.