Android phones are tempting targets for hackers

By Hiawatha Bray
Globe Staff / June 24, 2011

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

Criminals who infect personal computers worldwide with malicious software programs, hoping to steal credit card numbers and other personal data from computer users, are setting their sights on a new target: the millions of smartphones running Google Inc.’s Android software.

“People never thought about virus infection on smartphones, and they’re going to regret it,’’ said Harry Wang, director of mobile research at Parks Associates, a technology research firm in Dallas. “They are pretty much a computer in your pocket,’’ and therefore just as tempting to data thieves as a desktop PC.

But the uniquely open design of Google’s smartphone operating system, which lets anyone easily distribute software for Android phones, is especially vulnerable. And the Android phone market is a large and tempting target for criminal hackers. According to market research firm comScore Inc., Android is the most popular smartphone platform in the United States, accounting for 36 percent of the nation’s 74.6 million smartphones.

Google recently dropped 10 smartphone apps from its online Android Market store, after Xuxian Jiang, an assistant professor of computer science at North Carolina State University, found the programs were infected with Plankton, a program that secretly collects information about a user’s Web-browsing habits. It was the latest of several incidents in which Google was forced to purge infected apps from the Android Market. In March, the company deleted about 50 apps that contained DroidDream, a program that could seize control of an infected phone and steal information stored on it. And in May, Google had to delete another two dozen apps infected with a modified version of DroidDream.

The second-most-popular smartphone, Apple Inc.’s iPhone, is Google’s chief rival in the smartphone market, and is much harder to attack. The main reason: Apple’s tighter control over iPhone software.

Apple spokesman Tom Neumayr said his company runs “a curated app store,’’ meaning that apps — games, media players, and other programs made to perform specialized functions on smartphones — are reviewed by the company’s employees before being offered to customers. Apps that don’t meet the company’s standards are barred from the store, sharply reducing the risk that malware will slip through.

IPhone infections are rare and are generally caused by unauthorized software obtained outside of Apple’s online app store. Such software can be installed by overriding the iPhone’s security settings. This process, known as “jailbreaking,’’ is popular with technology enthusiasts but rarely used by the general public.

Other leading smartphone platforms have similar policies. Research In Motion LLC’s BlackBerry and Microsoft Corp.’s Windows Phone 7 systems both offer app stores where software is tested for safety before being made available to consumers.

By contrast, Google’s Android Market does not test its software inventory to ensure apps are free of malware. Instead, Google relies on built-in security features of Android to set limits on what an app can do. Google also relies on customer feedback; if an app causes problems for users, it expects them to post complaints, thus warning others not to download it. Apps that generate enough complaints will be removed from Android Market.

“We’re aware of and have suspended a number of suspicious applications from Android Market,’’ said a Google spokesman. “We remove apps and developer accounts that violate our policies.’’

Google’s Android Market offers 200,000 software apps, while Apple’s App Store has about 425,000 apps. That gap was far bigger when Google introduced the first Android phone, in 2008. Wang said that Google embraced an open software model so developers would help the company to catch up, by quickly building a lot of Android-compatible apps. “It reached a critical mass that made the Android market very attractive to consumers,’’ he said.

But Adam Wosotowsky, an antispam engineer at the data security company McAfee Inc. in Alpharetta, Ga., said Android’s openness also poses a security threat. “You have more of a capability to get yourself in trouble with an Android,’’ he said.

That’s especially true when using software downloaded from non-Google sites. “Most of the dangerous stuff is outside the Android Market,’’ said Wosotowsky. For instance, Jiang, who discovered the tainted Android Market apps last week, also recently identified DroidKungFu. This program lurks at independent Android app stores in China and can seize control of a phone.

Jiang said he is an Android fan, and that Google is moving quickly to shore up the security of its phone software. “They are making very good progress,’’ Jiang said.

And though his company makes software to detect malware on Android phones, Wosotowsky said there is no need to push the panic button yet.

“I am concerned,’’ he said, “but I don’t want to blow it out of proportion.’’

Wang said Google should adopt Apple’s approach and begin vetting new apps to ensure they are malware-free, or customers might start avoiding Android phones.

“I think it’s wise to do a cleansing job,’’ he said. “Android has to establish a reputation with consumers that it’s safe.’’

Hiawatha Bray can be reached at