A fifth of Android apps malware? Not quite…

Recently, CNET reported on a study that was done by security-firm SMobile Systems involving Android apps, purporting that a full 20% of Android apps have access to personal information. According to the article, “…dozens of apps were found to have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone call information, and device location, said Dan Hoffman, chief technology officer at SMobile Systems.”

Now before we start going into full-on panic mode, let’s think about this. The way that security-firm SMobile Systems went about their study was by looking at the permissions that the apps in question used. There’s a definite problem with this method. As an example, let’s take one of the apps in the app store and look at its permissions. For our purposes, we’re going to use Google’s own Voice app. Google Voice is a phone/SMS app that uses Google’s own services to make and receive calls and text messages, as well as giving access to visual voicemail that offers several caveats (such as voice-to-text transcriptions) that other visual voicemail setups don’t.

Google Voice has access to the following information:

  1. Your personal information
  2. Services that cost you money
  3. Your messages
  4. Network communication
  5. Your accounts P
  6. hone calls
  7. Hardware controls and finally
  8. System tools.

According to the criteria that SMobile Systems used, Google Voice would be considered malware. Now let’s take a quick look at why that information is needed:

  • Your personal information- Google Voice has the ability to read and write contact data. Well…yeah. It needs that functionality in order to properly function as a phone replacement app. There’s no sense in having to go to a completely separate app in order to add, edit, or remove contacts.
  • Services that cost you money, your messages, phone calls- Google Voice has the ability to directly call phone numbers and send SMS messages. Isn’t that sort of the point? I don’t think I need to address this one.
  • Network communication- Google Voice has full Internet access. Voice uses the Internet to function.
  • Your accounts- Google Voice has access to your Google Voice account, can manage the accounts list, and use authentication credentials of said account. It would be rather difficult for the Google Voice app to function without access to your Google Voice account, no?
  • Hardware controls- Change your audio settings. There are loud people that you definitely don’t want yelling in your ear. For this purpose, there’s the volume buttons.
  • System tools- Prevents phone from sleeping. Depending on how your phone is setup (especially if you’re using wifi), the phone going into sleep would completely interrupt your internet connection, thus terminating the call with your rich uncle that was offering you a boatload of money. On a completely unrelated note, can you introduce me to your uncle?

So, as we can see, yes, Google Voice has the “type of access to sensitive information as known spyware does” but it uses this information to function properly. I don’t think that we could really classify it as “spyware,” could we? Now are there some spyware application in the Market. Absolutely, as with any other app store, no matter how close walled. The best thing to do is to report these apps if they’re encountered, instead of just uninstalling them and saying nothing.

The Android Market is a diverse shop that allows the user the choice to supplement or replace their existing stock applications with something that may work better for them. True flexibility. For this, the slight chance of running into a malicious or buggy program could be considered worth it for many people.

[via cnet]

  • http://onandroid.blogspot.com paul

    I disagree with your assessment. you’re using google voice as an example. that’s fine…that’s Google’s app.

    We’re suppose to be able to trust Google. As for the rest? Why would a gaming app need access to the users’ mail or sms?

    There are times when app needs it and time when they don’t. The CNET article is saying that just about any app can access those private information. I don’t think CNET is worried about Google Voice.

    to be fair, the 20% number is fairly high and used to sell anti-virus software. I hate posts like that use sources with questionable motives

    There is a risk and I hope Google will address it in future OS updates. of all the mobile OS out there, Android is the most versatile and open but I fear it’s also the most at risk.

  • Robert Allen

    I absolutely, positively agree with you. There are definitely some malicious apps on the Market. When you select an app on the Market for installation, before it actually begins the download, it shows what the potential download has access to, system-wise. I highly recommend everyone giving that a look-over and using some thought as to what is permitted. If you’re downloading a sound-board, for instance, that has access to phone calls, something is very wrong.
    I do think that Google needs to re-evaluate it’s security issues. In the meantime, I think that the added flexibility of Android is worth some of the risk, though that’s my opinion.
    My primary argument with the article from Cnet was the methodology in which potential “spyware” was selcted.

  • Wello

    It’s just some sales company spreading FUD. All these permissions are not regarded as malicious. For example, if the app can call directly, it will only display the number in the dialer not call without you knowing.

  • http://www.safercode.com/blog/ Shantanu

    Agree with your article completely, Robert. Apple’s walled garden approach has so many limitations which can never make your device as secure as a platform which has a good/solid local security model, infact it lulls them into a “false sense of security” which is a disaster waiting to happen.
    I did a post that does a detailed and informed comparison of Android and Apple security models here:
    Android vs iPhone: Security Models Comparison

  • Eh, Steve!

    You are incredibly naive if you think the mega corporation Google isn’t doing anything with all your personal data that you allow it to access.

    It’s all data mining, just the same as on Facebook and Myspace. You are using their service for free and they are collecting all our info for free, which can then be sold to data banks, telemarketers, DHS, NSA, various marketing firms, trends forecasters, private intelligence firms, used by Google’s own analytics project and more.

  • jjoensuu

    Actually this article is stupid.

    Why the heck do you use Google Voice as an example and then go through explaining WHY Google Voice needs access to this or that.

    I do not think we need an explanation on why Google voice needs to have access to various parts of the system. Then again Google Voice had not even been classified as malware by SMobile Systems because that application by its nature needs access to all that data.

    More articles written by Google religionists to Google religionist and Mountain View stays happy.

  • david

    I agree with some of the posts. This article is worthless! Here’s an example app he should have used. MouthOff…Requires Full Internet Access. WTF! It’s got 36 cartoon mouths that are loaded onto your phone. WHAT does that have to do with the app accessing the internet from my phone. My experience is that more like 80% of the apps are gathering my private data!! Grrr!!