Android Market Gets a Bouncer to Kick Out Malware

Today Google announced its Bouncer security service for the Android Market. This is a good initial step in protecting Android users.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.