X

Google now scanning Android apps for malware

New service scans apps for malicious code or behavior and bounces them if they are suspect.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Google has added an automated scanning process that is designed to keep malicious apps out of the Android Market, the company announced today.

The new service, code-named "Bouncer," scans apps for known malware, spyware, and Trojans, and looks for suspicious behaviors and compares them against previously analyzed apps, Hiroshi Lockheimer, vice president of engineering on the Android team, said in an interview with CNET this morning.

Every app is then run on Google's cloud infrastructure to simulate how the software would operate on an Android device, he said. Existing apps are continuously analyzed, too.

"The system takes an app that's been uploaded and runs it in the cloud and monitors what the app is doing in a virtual environment, if you will," Lockheimer said.

If malicious code or behavior is detected, the app is flagged for manual confirmation that it is malware. The app could be blocked from being uploaded if it is blatantly malicious or will be removed quickly thereafter if it gets flagged by the scanning process. "It won't get uploaded at all if it is an instance of known malware," Lockheimer said.

Unlike Apple, which vets every iPhone app before it hits the iTunes Marketplace, Google does not require pre-approval for Android apps. Instead, it does the screening of the apps behind the scenes when the developers upload them to the Android Market.

Google also is analyzing new developer accounts to "prevent malicious and repeat-offending developers from coming back," the company says in a blog post today.

Google has been quietly testing Bouncer for a "number of months," long enough to see an impact, Lockheimer said. Between the first and second half of 2011 there was a 40 percent decline in the number of downloads of potentially malicious apps, the company said.

Lockheimer said he could not say how many malicious apps had been blocked or removed from the market as a result of the scanning.

Asked if Google created Bouncer in response to complaints about malicious apps on the Android Market, Lockheimer said no. "It's not like there is a rampant malware problem," he said. "Think of it as an insurance policy...to ensure that Android continues to be a safe place."

Mobile security firm Lookout found that there were about 1,000 malicious Android apps last year, but the vast majority were on unofficial, third-party sites where anything goes. But some malicious apps have made it to the Android Market, including about two dozen apps containing malware that Google yanked in May and nearly 60 malicious apps removed in March.

It's likely Bouncer will flag apps that may not technically be considered malware but are designed to perpetrate fraud against the consumer. This would include situations such as the nearly 30 fraud-related apps Google pulled from the market in December that were found to be charging premium SMS toll rates on European phones without the user's knowledge.

Asked to comment on this, a Google spokesman said "We look for many things, this may be one of them."

The news was met with praise by security experts, including some who wondered why Android apps weren't scanned from the beginning.

"I think it is great that Google is taking steps to address the inevitability of malicious apps in their app store. What were they thinking at first?" said Chris Wysopal, chief technology officer at application security provider Veracode, who had called on Google to scan Android apps in March of last year.

. "Both Apple and Microsoft started their app stores with a validation process. Blocking known malware patterns is a no-brainer."

"I hope Google can keep up with published rootkit code and research on vulnerabilities and add these patterns to their scanners," he added. "The process should be proactive and not have a window of time when tens or hundreds of thousands of mobile users can be compromised before the malware is detected and removed."

Kevin Mahaffey, chief technology officer at Lookout, said Google's move was a "step in the right direction."

"We think it is great that Google is working with the Android community to provide an alternative to a manual curation process, allowing developers to innovate quickly while also increasing the baseline level of security for Android users," he said.

Updated 2:02 p.m. PT with comments from Chris Wysopal and Kevin Mahaffey.