Google scans Android apps for malware

Google has added an automated scanning process that is designed to keep malicious apps out of the Android Market.

The new service, code-named "Bouncer", scans apps for known malware, spyware and trojans, looks for suspicious behaviour and compares against previously analysed apps, Hiroshi Lockheimer, vice president of engineering on the Android team, said in an interview with ZDNet Australia's sister site CNET yesterday.

Every app is then run on Google's cloud infrastructure to simulate how the software would operate on an Android device, he said. Existing apps are continuously analysed, too.

"The system takes an app that's been uploaded, and runs it in the cloud and monitors what the app is doing in a virtual environment, if you will," Lockheimer said.

If malicious code or behaviour is detected, the app is flagged for manual confirmation that it is malware. The app could be blocked from being uploaded if it is blatantly malicious, or will be removed quickly thereafter if it gets flagged by the scanning process. "It won't get uploaded at all if it is an instance of known malware," Lockheimer said.

Unlike Apple, which vets every iPhone app before it hits the iTunes Marketplace, Google does not require pre-approval for Android apps. Instead, it does the screening of the apps behind the scenes when the developers upload them to the Android Market.

Google is also analysing new developer accounts to "prevent malicious and repeat-offending developers from coming back," the company said in a blog post.

Google has been quietly testing Bouncer for a "number of months", long enough to see an impact, Lockheimer said. Between the first and second half of 2011, there was a 40 per cent decline in the number of downloads of potentially malicious apps, the company said.

Lockheimer said that he could not say how many malicious apps had been blocked or removed from the market as a result of the scanning.

Asked if Google created Bouncer in response to complaints about malicious apps on the Android Market, Lockheimer said no. "It's not like there is a rampant malware problem," he said. "Think of it as an insurance policy ... to ensure that Android continues to be a safe place."

Mobile-security firm Lookout found about 1000 malicious Android apps last year, but the vast majority were on unofficial, third-party sites, where anything goes. However, some malicious apps have made it to the Android Market, including about two dozen apps containing malware that Google yanked in May, and nearly 60 malicious apps removed in March.

It's likely that Bouncer will flag apps that may not technically be considered malware, but are designed to perpetrate fraud against the consumer. This would include situations such as the nearly 30 fraud-related apps Google pulled from the market in December that were found to be charging premium-SMS toll rates on European phones without the user's knowledge.

Asked to comment on this, a Google spokesperson said, "We look for many things; this may be one of them."

The news was met with praise by security experts, including some who wondered why Android apps weren't scanned from the beginning.

"I think it is great that Google is taking steps to address the inevitability of malicious apps in their app store. What were they thinking at first?" said Chris Wysopal, chief technology officer at application-security provider Veracode, who had called on Google to scan Android apps in March last year.

"Both Apple and Microsoft started their app stores with a validation process. Blocking known malware patterns is a no-brainer.

"We think it is great that Google is working with the Android community to provide an alternative to a manual curation process, allowing developers to innovate quickly, while also increasing the baseline level of security for Android users," said Kevin Mahaffey, chief technology officer at Lookout. "We collaborate closely with the Android security team to protect users against threats, and believe this is a step in the right direction in securing the Android ecosystem from a broad range of constantly evolving threats."

Via CNET