Google readying on-device malware scanner for Android
Could block bad apps from any source
Android malware is on the rise, but the good news is that Google isn't sitting still for it. The search giant is reportedly readying a comprehensive anti-malware system for its mobile OS that will soon be able to spot malicious apps not just in the Google Play store, but also on Android devices themselves.
According to a report by the Android Police fan site, the latest, as-yet-unreleased build of the Google Play shopping app contains code snippets that suggest links to a future onboard malware scanner.
Text strings included in the Google Play 3.9.16 APK package file include such tidbits as, "Allow Google to check all apps on this device for harmful behavior?" And, "To protect you, Google has blocked the installation of this app."
These phrases are apparently text prompts that will be offered by a forthcoming Google Play feature, identified in the new build as "App Check."
To be clear, this anti-malware feature is not yet actually included in any known build of the Google Play app. Another text string found in the new app package says, "To learn more, go to Settings > Security" – but no such settings panel exists in the 3.9.16 version.
Rather, the presence of these items is strong evidence that malware scanning is a feature that Google is currently cooking up in its labs, and which will eventually appear in some future version of its store app.
That will be good news for Android users. The Chocolate Factory already scans apps in the Google Play store for malicious behavior using a system known as Bouncer, but that hasn't prevented a number of high-profile incidents in which scammers have used rogue apps to swindle Android users out of cash and device data.
Most recently, some 1,400 people in the UK were left lighter in the pockets after they downloaded Android scam apps disguised as the latest Roxio Angry Birds game. What the rogue apps actually did was send SMS messages to premium-rate services, costing the unwitting users up to £15 each.
Part of the problem is that unlike Apple iPhones, Android phones generally allow users to install apps from sources other than the Google Play store, which can be risky. Some models require the user to explicitly enable this capability, while others ship with it switched on by default.
So far, Google's server-side Bouncer app scanning has had no way to screen apps from third-party app stores. But with anti-malware capabilities installed on the devices themselves, Android handsets and fondleslabs will be able to flag suspicious apps no matter where they come from.
For now, however, exactly how Google's on-device malware scanning will work – and how well – is strictly up to speculation.
So is when it will actually become available, although there's a good chance it might arrive with the next version of the Android OS. Rumor has it that version will be known as Android 4.2, code named "Key Lime Pie," and it could ship with an upcoming LG handset as soon as November. ®
Never underestimate human stupidity or laziness
I have a bit more sympathy. Regarding free vs paid, multiple versions of Android apps often exist, some free & some paid; it's not always obvious (even from the Google Play description) which is which. I have no sympathy for someone knowingly trying to get a paid app for free, but it's possible at least people scammed in this way didn't know what they were installing.
On the matter of permissions: undoubtedly it's really important to read permissions very thoroughly before accepting them when installing a new app, especially if they say "things that cost you money". But the longer and more comprehensive some permissions lists get, the more they feel like the Android equivalent of click-through EULAs - at best the average user will scan the list in a couple of seconds in case anything jumps out, but more likely they'll just say "sod it" and click accept without reading... Not the best policy, but human nature.
I use a dumb phone for surprisingly enough, making phone calls and texting. It has all the features I need. it's 9cm x 4cm x 1.5cm and very light.
I use a rooted 7" Tab 2 to do all those things my dumb phone doesn't.
It's a little inconvenient having to use two devices where most people use one. But to me, that's the only down side. My Tab is under my control, not Googles. I have the usual adblock installed in Firefox... Where's NoScript for FF on Android? My hosts file is pretty comprehensive. I haven't found a decent firewall yet, ie one that asks permissions for any ingress and egress and doesn't want access to contact lists, location services, the Internet etc.
I image my device before installing anything I am the slightest bit dubious about.
However IT is what I do and I have been doing it for quite some time. Consumers on the other hand do need protecting, not only from malicious applications but their own ignorance. As a consumer one has to trust someone. As an IT literate who generally knows what he is doing, I don't have trust anyone, and I don't.
The best response to malware is a permissions system that isn't broken
With Android apps, permissions are take-it-or-leave-it. You do not have a say in the matter (I'm not including rooting your phone, must of the people at work wouldn't even understand that phrase never mind actually do it). Users NEED to be able to say "oi! no."
I will give you an example. Orange France has an app called "Orange et moi" that tells you promotional rubbish, but can also report on your outstanding allocations for data and free voice calls. Among other stuff. [ https://play.google.com/store/apps/details?id=com.orange.orangeetmoi ] It used to tell me there was a newer version, but I could continue using the older one. Now it refuses, saying I can either upgrade or quit.
Are you sitting comfortably? Here goes with the permissions it, a carrier-provided app, wants:
Services that cost you money: directly call phone numbers; Your location: coarse (network-based) location, fine (GPS) location; Your messages: read SMS or MMS; Network communication: full Internet access; Your personal information: read contact data; Phone calls: read phone state and identity; Storage: modify/delete USB storage contents, modify/delete SD card contents; System tools: change Wi-Fi state, change network connectivity, prevent phone from sleeping; Network communication: view network state, view Wi-Fi state; System tools: automatically start at boot, measure app storage space; Default: directly install apps, modify battery statistics...
The last one, about battery statistics, says "Not for use by normal apps" in its description. Anyway, are alarm bells ringing yet? Directly install apps? Read contact data? I'm sorry, I took a look at this list and deleted the app entirely. I'll use the website from now on.
That I cannot tell this app to rein in its ambitions is a failing of Android; and an encouragement to app authors to drop in more permissions than are necessary. It is scary how much stuff wants to read your addressbook, and you only choice is to do without. There needs to be an option entitled "screw you and the horse you rode in on" so you can choose to install the app and you can tell it what it won't be doing. But since this means many would turn off internet access and location-based services (used by AdMob among others), I can't see Google doing this any time soon.