When Google (NSDQ: GOOG) last week confirmed to mocoNews that it removed dodgy apps from the Android Market that collected user information, a big question remained: what about the downloads that had already taken place? Late last night, Google gave its answer. On affected devices, it would remotely remove the malicious apps and push out a security patch to undo the damage. So far, so proactive, but the whole event raises a number of issues about Android as well.
In a post on the Google Mobile Blog, Rich Cannings, Android security lead, wrote that Google is taking four steps against these malicious apps that contained code that extracted user and device information.
— It has removed the offending apps from the Market. Turns out there 58 apps containing the malicious code, with 260,000 devices were affected.
— It is remotely removing malicious apps that have been installed on devices. Users who have been affected will get an email alerting them to this; and users getting the apps removed “may” be notified by email, too.
— Google is pushing out a new security tool on affected devices, “Android Market Security Tool March 2011”, which will remove the offending code, and also provide a proactive shield against malware in the future.
— Google will be taking steps to ensure that such apps do not get distributed via the Android Market going forward, and it is “working with our partners to provide the fix for the underlying security issues.”
While users are praising Google for finally tackling the security problem — apparently developers who had their legitimate apps “copied” by the malware creators had spent a week trying to get attention to the problem as a piracy issue, with little result — they are also raising some questions around the whole event:
Android fragmentation. Canning notes that the malware has only affected users with devices containing version of Android earlier than 2.2.2 — a version of Froyo. And that, once again, points to how there are millions of people using devices loaded with older versions of the OS that might have different and more compromising levels of security.
Google as app-god: The remote app removal service is a feature that Google only launched in June 2010 — specifically so that Google could use it in cases like this, where malware poses a security threat to a user.
But while users understand the need to fix this issue, some dislike this kind of control in principle: “I don’t like anybody to manipulate MY device, [be] it Google or anonymous attaker [sic], either with a malicious app or a security app. It always means somebody else…has access to your stuff,” wrote one user in the comments on the blog post.
Preventing such malware in the future. Google is taking steps to keep additional malicious apps from entering the Market in the future. But so far it is not giving more detail on how it plans to do this, either on its own or with its “partners” (presumably mobile operators?). Rather than remote removals, users would rather the apps didn’t get into the Market in the first place.
A separate Android Market Help technical support note says that the name of the running service containing the malicious code is called “DownloadManageService.” Users can check to see if this code has been released in their own devices by going to Settings > Applications > Running services.