The answer Google’s Head of Android Sundar Pichai gave today, to a question regarding Android malware at Mobile World Congress (MWC), will surely raise eyebrows.
A hot topic in the industry is the how secure Android is or isn’t and Google people are often asked about it.
Fielding questions from journalists, Pichai gave a candid answer when asked about the state of malware on Android according to French bloggers FrAndroid:
We cannot guarantee that Android is designed to be safe, the format was designed to give more freedom. When people talk about 90% of malware for Android, they must of course take into account the fact that it is the most popular operating system in the world. If I had a company dedicated to malware, I would also be addressing my attacks on Android.I don’t think Mr. Pichai is conceding that Android is unsafe, but saying the mobile OS is an easy target because its popularity.
Android is a secure operating system with loop holes malware authors exploit where they use Android’s own functionality against its users.
You can have two apps with the same functionality like receiving incoming SMS with some advertising; one is good, the other bad. They’ll have permission requests of READ_SMS and INTERNET.
Not too scary right? How the developer puts those functionality requests (Permissions) to use is where the bad stuff happens.
App A uses READ_SMS to receiving incoming text messages and display in larger text for better reading, the INTERNET request is for in-app advertising for generating money.
App B also uses READ_SMS and INTERNET for the same functionality, but app B also uses his INTERNET access to communicate with a remote server. He doesn’t mention that in the description nor is it obvious when you run the app. Oh, he also doesn’t mention that the text messages he’s capturing are sent to that remote server. Hmm, sounds like a man-in-the-middle attack.
App A and B could look exactly alike maybe even have the same name, on the surface they will appear harmless, but it’s what’s under the hood that makes all the difference.
Most Android malware isn’t big, scary, and in your face. Most of it is “sleight of hand” trickery where it's a "pay attention to this live wallpaper, while I steal your contact list.”
There is no doubt Android dominates the mobile landscape and continues to increase in sales as more and more devices are made available to emerging markets, so security should always be on the forefront.
Google has made strides in security for Android and statements like this one from Mr. Pichai indicate to me that there are more enhancements coming.