By Dan Rowinski
Google is taking new steps to identify and eliminate malware in the Android Market. Codenamed “Bouncer,” Google will now scan every new and existing app in the Market against known malware, permissions and publisher information. This is the first time that Google has been so proactive in attacking the Android malware problem and a welcome step for its application ecosystem.
Google will institute Bouncer without disrupting the Android user experience or requiring an Apple-like approval process. The tactic that Google is using focuses on the cloud and identifying malware as opposed to checking each app’s credentials at the door. Furthermore, Google said that Android malware is actually decreasing, contrary to prior reports.
Here is how Bouncer will work, according to Google’s blog post on the initiative.
“The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts… (O)nce an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.”
Google claims that Bouncer has been searching for malicious apps “for a while now.” The company claims that between the first and second halves of 2011, Android malware decreased 40%.
But, how can that be, you ask? We see reports of the exponential growth of Android malware almost every day. In late October and early November of 2011, there was supposed to have been a huge spike in Android malware.
Not so, says Google.
“This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise,” wrote Hiroshi Lockheimer, VP of engineering for Android. “While it’s not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market – and we know the rate is declining significantly.”
Juniper reported that Android malware had increased 472% between July and November 2011. That would correlate with Google’s proclaimed decrease in malware downloaded to user devices. Somebody is lying right?
Not quite. There is a distinct difference between malware that is created and exists in the wild and what actually makes it to users’ phones. Google is focused internally on the Android Market. It is not scanning the globe for malware signatures and behaviors that could potentially make it to user devices.
Google’s Bouncer is not actually all that different from what a lot of third party Android security apps do. Lookout has an API that scans the download point of the Android Market, effectively scanning the store itself before and app is actually put on a device. Almost all device-level security apps function through the cloud because there is not enough free computing space on smartphones to handle the type of computations needed to identify malware. What Google has in terms of an advantage over the third party security apps is unadulterated access to the Android Market as well as one of the largest cloud infrastructures in the world to run applications on.
What Google cannot control, however, is malware from third-party app stores. If you are a frequent user of third party app repositories, it is important to know what you are downloading and keep a third party security service on your device.
