Android is a malware cesspool — and users don’t care

Android smartphones are expected to reach about half the market by year’s end, surpassing iOS as the market leader in such devices. Android smartphones (and tablets) are also among the least secure ones available, thanks mainly to the Android Market being full of Trojan horses and other malware masquerading as legitimate apps. Just this week, Google was revealed to have removed another dozen or so of such malware apps, months after they entered the uncurated Android Market.

Like a desktop operating system, Android is open to apps, and as it gains market share, it’s become open to cyber criminals., though Apple’s iOS has been largly safe from such attacks, thanks to its tighter control of what goes in its App Store. However, iOS is not immune, but the number of successful malware placements in the App Store is very low.

Users circumvent Android’s defenses What’s scary about the Android Market being a malware cesspool is that there’s not much that can be done technologically about the problem. You can’t really lock down an Android device as you can BlackBerry OS or iOS. And the security mechanism that Google has bulit in to Android is easily defeated — by users, who happily give malware apps the permission the Android OS makes them seek to access information stored on the device as well as access to other apps on the device. “The user is prompted for that access by the OS, but clicks OK until he gets through” to the promised game or service, says Claus Villumsen, CTO of mobile security firm BullGuard. Worse, there’s an attack that circumvents these permission requests by using a hole in the mobile Chrome browser, he notes.

Because there are so many legitimate-seeming malware apps in the Android Market, “Android is the No. 1 delivery mechanism for spyware and Trojans,” Villumsen notes. When the user finally has given the malware permission to open everything and discovers the app either does nothing or, worse, actually does provide a game or what have you (so you don’t have a clue you’ve been duped), it’s too late: “You can become a bot as with a PC. They send text messages to premium services so you get billed. They can monitor SMS and delete messages, as well as monitor and send local data, such as your bank info and photos.”

It’s the same issue that Windows and Mac OS X environments face — users that turn off their brains when confronted with access requests — but worse, he notes, because when using mobile devices, users are even more willing to say yes than they are on their PCs, where users are already too often victims of being fooled by malware.

I’ve criticized security vendors for exaggerating security concerns on mobile devices to boost sales of their wares several times now. The fact is, mobile devices as a whole are safer than PCs. (Android and Nokia’s fading Symbian OS are the exceptions, Villumsen notes.) And I’m skeptical about much of the client-side security software out there; the Windows experience should make it clear that such antimalware tools are always playing catchup and at best reduce the malware inflections on your systems; they don’t keep you safe. Yet they are marketed as if they do, lulling people into a sense of false security.

BullGuard is working on a whitelist app that would use a green/yellow/alert system as a front end to the Android Market, similar to how modern browsers color-code sites’ URLs based on the confidence they have in the sites’ legitimacy. Villemsen says this technique does reduce downloads of dangerous apps and media files, but he acknowledges that mobile customers show little interest in buying such a service, at least today. Although Google really should take some measures to vet what is in the Android Market from a security perspective, the reality is that the problem lies with users — and technology can only reduce the problem, not eliminate it (as Mac users have discovered recently).

Stop letting users act like helpless babies I’ve also urged multiple times that IT start treating users as shared owners of at least end-user technology — such as mobile devices, SaaS, and social networking — rather than continue to treat users as babies who must have everything done for them. That infantilizing behavior also contributes to the “always click OK” mentality. IT and the industry at large has trained users to believe “IT will fix my computer and the bank will reverse the charges from my phished accounts.”

That’s the real problem. The premise of consumerized IT — of “shadow IT” in the business units becoming an adjunct of formal IT — is that with freedom comes responsibility. You can use an iPad or Droid at work if it complies with IT policies — and if you use it responsibly. Research from Aberdeen Group, Forrester Research, and others show that this shared ownership coupled with shared responsibility is the safest and most cost-effective strategy in a consumerized IT world.

Users need to take their share of the responsibility, not punt the problem to others. As the “parents” of these “babies,” here’s what IT and business management needs to do:

• Educate employees more aggressively, and I don’t mean through mind-numbing seminars or effervescent online videos. I mean phish your employees (particularly managers) and call them out when they fall for the trap. Better they fall for your “malware” and see the connection to their behavior than get phished or Trojaned by an actual crook.
• Penalize employees — especially managers — for getting fooled. The first time, disable their smartphone access for a week or two. After that, consider permanently denying access from a personal device, requiring them to use a BlackBerry or other safe but limited device. Depending on the person’s role and access to sensitive information, pay-raise denials (or pay reductions), demotions, or other real performance penalties should apply. Some industries — notably health care, due to the HIPAA regulations — do enforce penalties for negligent behavior that puts the organization at risk, but too many companies give them a slap on the wrist and in essence tell employees it’s fine to keep turning off their brains.

I’m all for treating employees as smart partners who will do the right things within the appropriate corporate policies, and thus should have the freedom to do things their way when that helps them and does no harm to the company. But employees also need to step up and act as smart partners. With freedom comes responsibility, and with responsibility should come consequences.

And if you use Android, boy, do you need to be responsible.

This article, “Android is a malware cesspool — and users don’t care,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.