According to security researcher Tim Wyatt, 120,000 Android users downloaded malware infected applications from the official Android Market. The malware was contained in more than 25 applications that Google has since removed from its mobile app store. This is the second such reported outbreak of malware in the App store in the last few months.
At present Google does not screen Android Marketplace applications for malware. The current approach appears to be to wait for security researchers to find apps infected with malware and to remove them in a post hoc manner. The problem with this is that up until now, the malware has been piggy backing on warez versions of existing applications. The only reason they come to anyone’s attention is that the authors of the warezed apps raise a stink about people profiting off their work. If a malware writer instead wrote their own app from the ground up, it seems likely that no one at Google would notice.
As Android’s market share grows, attacks against mobile handsets through malware are likely to increase and a post hoc cleanout strategy is less likely to be successful. What really needs to happen is that Google needs to become proactive about analyzing the apps that it publishes in its marketplace before it publishes them and not take a post hoc approach where up to 120,000 users are infected by installing applications from a service they considered reliable and secure. This is especially important given that Google intends Android to become a mobile pay station through its Google Wallet service. The malware authors who’ve found it straightforward to publish to the Android Marketplace must be licking their lips in anticipation about getting their fingers into that pie.