The open nature of the Android market has one large disadvantage: apps that conceal unwanted and malicious functionality don’t get checked before they’re launched to the world. There are plenty of commercial Android security solutions, but you can ward off many potential issues simply by bothering to check the permissions on the app before installing.
At the Bitdefender press launch I attended last week in Bucharest, there was a demonstration of how easy it is to inject malicious code — designed to capture user information direct from the handset — into any existing Android package (APK). That has led to a rapid growth of malicious code. “We’ve seen since the beginning of 2011 a 900% increase in malware families, and a 2000% increase if variants are included,” researcher Alexandru Balan said. “Android malware exists and it has exploded.”
Balan also gave a concrete example of how unexpected functionality conceals itself. There’s an app on the market called Flashlight No Ads, which presents itself as a simple flashlight/torch application. However, the permissions are somewhat more extreme (click for a larger version):
While there might be an argument for a flashlight app to access the camera (many use the camera’s flash function to provide extra light), there is no logical reason for it to read your phone state, create network sockets or modify global system settings.
In practice, this app actually grabs user details include your carrier, phone number and email address, and automatically connects you to an ad server three hours after installation. You won’t be able to tell that from the permissions, but the mere fact that a simple flashlight app is demanding so much should give anyone pause for thought. It’s all too easy to click through the permissions screen when installing, but spending that time will definitely help you avoid some obvious hassles.
Angus Kidman travelled to Bucharest as a guest of Bitdefender.