Earlier this week, 58 malicious apps were discovered on the Android Market, causing deep embarrassment to Google and considerable alarm to users whose data was compromised.
Now Google has responded with an update to the situation. The company says the malicious apps were downloaded to 260,000 devices before Google removed them on Tuesday evening. Google says that device-specific information was compromised. The phone’s IMEI number (which identifies a device) was leaked, but no other personal data or account information was transferred by the rogue apps. The whole incident has created a big scare about mobile security; and if users are scared about the safety of apps, they may not download as many of them, which will hurt commerce on Google’s fast-growing Android platform.
Tonight, Google is going to initiate a “remote kill” function that lets it zap applications on any infected phones from afar. The user doesn’t have to do anything. Google will automatically send a security update to the infected devices that should remove the malware, known as a root kit. Users will receive an email notification about it.
But Google can’t automatically patch the security problem that made the malware possible in the first place. Phone companies and phone makers have to distribute the patch to their users. They can take Google’s patch and push it to users. Google says that the vulnerability is present only in versions 2.2.1 of the Android operating system, and lower.
Google said it is taking steps to stop this from happening again. But it’s not saying what it is doing. Clearly, it seems like a flaw that Google can’t push an urgent security patch directly to users.
The reason this happened in the first place is that Google doesn’t screen apps. Rather, it institutes some security for users by requiring apps to notify users with alerts whenever they intend to access sensitive information on a phone such as the user’s contacts. By contrast, Apple reviews all apps before approving them for inclusion in its App Store.