At the start of this month, Google sent a message to Android malware authors: No more Mr. Nice Guy. In a blog post, engineering vice president Hiroshi Lockheimer wrote that Google had been scanning Android Market apps "for a while now" with an automated routine called Bouncer.
Lockheimer's post explained that Bouncer inspects apps for known malware and troubling behavior, in part by running them on simulated Android phones. It works, he said: "Between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially malicious downloads from Android Market."
Since the prior defense on the Market had consisted of Google yanking rogue apps after users reported them, this was a major advance. But is it enough?
On one level, you could say so. Symantec's database of threats only lists one recent case of Market malware (separate from apps hosted elsewhere, which you can't install on Android by default), an app that Lookout Mobile Security and others ruled was merely a pushy advertising operation. The latest report of Market malware from another security firm, Sophos, was a December warning about malicious games.
Remi Harrad, a publicist for Lookout, wrote Friday that "we haven’t found any more significant malware on the Android Market" since early February. But Chester Wisniewski, senior security adviser at Sophos, wrote that the major problem on the Market was "dodgy apps" that steal personal data — and that Bouncer hadn't helped.
Past studies of automated scrutiny of mobile apps suggest caution. A 2011 report (PDF) by researchers at the University of California, Berkeley, found that the automated screening of Nokia's Ovi software store had apparently OK'd five of 24 malicious apps. A 2008 paper (PDF) by IBM, Samsung and University of Michigan researchers suggested that well-crafted "behavioral detection" could identify malware "with more than 96 percent accuracy" — not good enough to surrender judgment to the likes of Bouncer.
Two security professionals suggested possible gaps in Google's scrutiny.
Peter Szor, a researcher who joined McAfee Labs last spring, said some Android malware is "very device specific" — targeting particular models — and so might look safe in virtual-machine testing. He also noted that rogue applications could download malicious code after being installed.
Chris Ensey, director of government relations for SafeNet Inc., echoed that concern. He added that while security firms like his employ "virtual execution" techniques to check attachments and links sent to employees, that's easier work: Those items shouldn't run any code. Flagging a malicious application "requires far more advanced inspection tactics."
Meanwhile, you can and should consult the useful data Google provides about Market apps (including recent additions like "+1" recommendations for apps from Google Plus users) before downloading them. Don't install anything from outside the Market unless you know exactly what you're doing — the latest attack Sophos reported was a download from a site listed on a Facebook profile.
Or you could switch to Apple's iOS, where human reviewers' rigorous scrutiny stops software from abusing your trust.
Except when it doesn't. Earlier this month, the photo-sharing app Path was caught uploading users’ address books without permission. Path's developers wanted to help users find friends on their service, but that action violated Apple's guidelines for iOS developers. Path apologized and Apple said it would require apps to ask permission before uploading contact information.
What might? Be skeptical about new apps and slow to install them. Remember, nobody's handing out prizes to be the first to install a new program.