Google's Shoddy Whitelisting Makes Android Malware Inevitable

The rise of mobile malware is one of the regular annual predictions that experts and anti-malware companies have been making for many years. I’m one of the people who get pitched these predictions, and I’ve been hearing this one for at least 5 years, but malware on mobile devices has always been just a novelty, not a real-world threat.

Now the anti-malware companies may be getting their wish, thanks mostly to Google. I say “their wish” because this opens up a large new market for them. Make no mistake; they need mobile anti-malware to take off. It’s not so clear that their desktop business will stay robust in the long term.
Why do I say “Google?” Because their security and code signing model for Android greases the wheels for malicious programmers, eliminating barriers to entry which have played a big part in keeping threats off of other mobile platforms.

The scenario played itself out just recently when Google quickly removed over 50 malicious applications from their marketplace. In effect, all applications for 3 specific developer accounts were removed.
Since those developers have been blackballed we won’t be hearing from them anymore, right? Not quite. Setting up a developer account for the Android market is easy and cheap; in fact, easier and cheaper than any other platform. I suspect that Google did this in order to jack the number of apps on the market up as fast as possible so as to compete with the iPhone for that one simplistic factor. The number of apps on each platform used to get a lot more coverage, but both have an absurdly large number now.

One of the big reasons both have such large numbers is that both made it cheaper and easier to get an app published. Other platforms, like Blackberry or Brew or the old Windows Mobile forced developers to go through expensive testing procedures and to buy at least one not-cheap code signing certificate from a trusted certificate authority like Symantec’s VeriSign [Disclosure: I have done freelance writing for VeriSign]. Apps in the Apple store are signed by Apple.

Most phones, including iPhones, are designed only to run software signed by the trusted authority. This is a whitelisting system. Hacking past this rule is what is called “jailbreaking” on iPhones. Jailbreaking has become an included feature on Android, where users can change a setting to allow apps not in the market to be installed.

These whitelisting systems also have a blacklisting component: If the authority determines an application to be malicious or undesirable for any reason they can revoke or blacklist the certificate. That app will no longer be installable and, as I understand it, Google can signal to Android phones to remove such apps.

Apple’s iOS developer program costs $99/year and 30% of proceeds from paid apps. Not a lot. Google’s Android Market Developer program costs a one-time $25 fee. Considerably less. Almost throwaway money.
Apps in the Apple app store are signed with real code signing certificates from Apple. Google requires that the developer sign their apps, but in effect requires that they use what are called “self-signed certificates”. This means that the certificates are not signed by any 3rd-party authority that checks the identity of the signer and guarantees to users that the app was signed by that person. Anyone can sign the app and it costs nothing.

This isn’t a formal requirement, but it follows from Google’s rules. The developer is allowed to use a self-signed certificate and: “If you plan to publish your application(s) on Android Market, note that a validity period ending after 22 October 2033 is a requirement.” A code signing certificate from a trusted authority with a validity period that long would be prohibitively expensive. Why doesn’t Google just create their own CA like Apple or require 3rd party certificates?

Instead, what we have is a situation where anyone can create an account for $25, deploy a lot of malware in the Android market and run away.  Apple’s $99 isn’t all that big a barrier either, but perhaps they’re scrutinizing submissions more than Google. For 4 times as much per year they can afford to.

The recent malicious apps in the Android market are only the beginning. There will be more of these because the economic incentive is there and Google’s systems are too permissive to stop them.