Mobile

Android Market falls victim to crafty developer

Recent apps on the Android Market directed users to online banking sites in an apparent phishing scheme.

When using the Android Market, be careful of what you wish for.

Mobile app phishers recently set their sights on the Google Android platform, releasing over 50 fraudulent banking applications in the market. Thankfully, Google stepped in quickly, removing the applications from the Android Market before any significant damage was done.

The apps didn't contain any malicious code, but they were designed to direct users to online banking sites where the app would try to obtain log-in credentials and other banking information. These applications were not created by any particular financial institutions although they did appear to be from Bank of America, Wells Fargo, Chase, and others. Allegedly the handiwork of a developer known as "09Droid," it's not immediately known how many people were affected by the scam.

With the way the Android Market works--unlike Apple, Google does not have an app approval process--it's very easy for a developer to create an application and release it into the wild. In a case like this, a cookie cutter application can be "branded" over and over with different companies.

A variety of banking apps by 09Droid in the Android Market. Screenshot by Scott Webster/CNET

Obviously, this lack of oversight raises concerns over whether the Android Market's approach is the right way to run an app store. Rather than letting anyone and everyone submit applications into the market without a vetting process, perhaps the right approach is to play a gatekeeper role.

Yet, regardless of how the Android Market itself is maintained, users could still fall victim to phishing attacks. One of the benefits of the Android platform is that users have the ability to download and install applications from third parties, URLs, blogs, and more.

I often get applications directly from a software developer in advance of the Android Market release and I use the same principles that I employ with my desktop common sense. If it doesn't sound right to me, or looks somewhat shady, I simply pass. Unfortunately, there are many out there who simply don't know better.

Today, as more people graduate to smartphones, the number of uneducated users grows. But until all users realize the phone in their pocket rivals the capability of their previous computer, people will fall prey to attack. And until then, programmers with malicious intent will continue to test the waters with new approaches. No matter how hard we try to alert our friends and family to the dangers out there, someone still falls for a Nigerian e-mail scam.

The game of Cops and Robbers isn't going away. Regardless of what type of rules are put in place, someone will find a way to exploit the system(s) in place. Android users are advised to check their installed applications for anything created by the developer "09Droid" and remove it from their handset.