Weekly Update

How Mobile Malware Could Affect the App Market

After years of being overhyped by vendors of security software, mobile malware is finally a real threat — and Google’s lack of oversight in Android Market is the primary reason.

The growing danger of malware was highlighted again last week when Google banished more than four dozen free apps from its storefront after it was discovered that the titles contained a Trojan horse designed to steal users’ information. The apps, which included pirated and copycat versions of legitimate Android titles, had been downloaded tens of thousands of times before being identified and ousted.

Mobile has long managed to avoid these kinds of malware attacks because the fragmented market of multiple operating systems makes it difficult for nefarious developers to target a large group of users in a single stroke. But Android is a perfect storm of sorts for malware developers: Not only is the platform wildly popular with mainstream consumers, Google depends almost entirely on its user base to police Android Market; apps are vetted by users only after they’ve had an opportunity to inflict some real damage. That laissez faire strategy (which contrasts starkly with Apple’s relatively strict policies for its App Store) is understandably attractive to developers who want to bring their wares to market as painlessly as possible. But it makes for a very dangerous marketplace for consumers.

DroidDream, as the virus was dubbed, may have been the most dangerous piece of malware yet to affect mobile users, but the vulnerabilities of Android Market have long been a cause for concern. The pressing question, then, is how Google’s refusal to play app cop could impact the mobile application space as it evolves. Here are a few thoughts on how other players could be impacted:

  • Competing app stores: Android Market increasingly runs the risk of being seen by consumers as an overcrowded bazaar teeming with malware and other nasty stuff. That leaves the door open for other distributors of Android apps — a group that includes GetJar and Handango as well as smaller startups like BloomWorlds — to differentiate themselves as a consumers’ ally by vetting the offerings on their shelves. That’s a strategy Amazon is pursuing with its app store, which is rumored to launch later this month and which could take a big bite out of Android Market.
  • Developers: Familiar app publishers like Electronic Arts or Pandora are recognizable to almost all smartphone users, but smaller developers should find a way to let consumers know that their offerings can be trusted. One potential solution: TRUSTe’s certification system for apps that are regularly tested for malware, privacy breaches and other problems. TRUSTe has had its share of controversy with its online certification policies, but its model of clearly identifying clean software is a perfect fit for mobile.
  • Security vendors: With mobile malware making both trouble and headlines in a very real way, developers of security offerings for consumers are finally well positioned to gain some traction. But attracting the attention of consumers won’t be easy in mobile, where even the best offerings can get lost in libraries of hundreds of thousands of titles. So established players like McAfee and Kapersky Lab would be wise to leverage their reputation on PCs as they try to exploit the mobile space. Smaller vendors — like other app developers — will need to find ways to market their offerings through tactics like in-app advertising and employing the freemium model that has become so popular.

Andriod is quickly closing the gap with iPhone and BlackBerry in the U.S., and it has become the top-selling mobile OS worldwide. But unless Google rethinks its anything-goes policy for its app store, the ever-increasing dangers of malware could damage the reputation of Android Market — and maybe even the operating system as a whole. And that could have a huge impact on a mobile space, where technology changes very quickly.

Related Research: The App Store Police Need More Muscle — Not Less

Question of the week

Should Google vet apps before they come to Android Market?