The issue of fragmentation in Android has caused some, well, fragmented views among mobile phone users. Some feel it’s not a problem while others see it as a potentially fatal flaw in the operation system. Whatever your view, the security issues thrown up by the recent discovery of malicious apps in the Market will worry everyone.
Last week we reported on 21 malicious apps being removed from the Android Market. Over the weekend Google confirmed that there were actually 58 apps involved, which 260,000 people had downloaded. Last week Google removed the apps from the Market within minutes of hearing about them. Over the weekend, to safeguard those who had downloaded the apps, Google flicked a remote kill switch which removes the offending apps from people’s handsets without the users to do anything. Google will also be issuing a fully automated Android Market security update to infected devices that should remove the rootkit (Android Market Security Tool March 2011). All affected users will be receiving email notifications about the situation as well.
Apparently the apps were able to gain root access to the handsets they were downloaded to, however Google believes only the handsets' IMEI numbers were obtained rather than any personal information that could have been gathered. The problem for Google though, is it cannot automatically patch the security hole that was exploited by the malicious apps as it requires a system upgrade to resolve. It is up to the carriers and phone manufacturers to send out such an update.
The problem only affects devices running Android version 2.2.1 and lower as Google actually fixed the problem in more recent versions of the platform. However, because of the fragmentation of Android and the delay in getting updates out to devices, the vast majority of Android devices are currently running versions 2.2.1 or lower.
While this attack on Android devices doesn’t seem to have caused too much damage to the handsets affected, what it has damaged is Android’s reputation and if these apps can get into the Market in the first place, then Google needs to change the way it pushes out updates or risk the security of its customers' mobile devices.