Google app malware incident highlights need for publisher identity and accountability
Whole buncha headlines yesterday as Google pulled the plug on more than fifty Android apps for containing malware. Threatpost has a good writeup here, and Android Police has even more detail here and here. Existing writing on the subject has focused on the cleverness and skill of the trojan itself, along with debate about how soon Google should have realized there was a problem and dealt with it. But another noteworthy point about this attack, which infected at least 50,000 phones with highly malicious code, is that it depends ultimately on the concept of spoofed identity. The attacker published what appeared to be popular Droid apps in order to capitalize on their recognition to garner more downloads. An attack that depends on false identity works just fine on Android because identity verification is not required to publish apps. That builds inherent difficulty into tracking down the true source of apps, as illustrated by this Reddit post,
I'm the developer of the original Guitar Solo Lite. I noticed the rogue app a bit more than a week ago (I was receiving crash reports sent from the pirated version of the app). I notified Google about this through all the channels I could think of: DMCA notice, malicious app reporting, Android Market Help...they have yet to respond. Thankfully this was posted on Reddit, since after the post the rogue dev and all his apps have been removed from the market. There really should be a faster/easier way to get Google to act on it! UPDATE: After yesterday's media coverage, Google finally contacted me and apologized for the delayed response.
If it's that hard for Google itself to figure out who is real and who is fake, what chance does the average phone owner have of getting it right? My vote is zero. Fortunately there's a well-baked solution available. Code signing certificates can, if required by the owner of the app store, come with mandatory developer authentication. The code signing certificates have the owner's identity built in in an unspoofable, hash-protected format. The app store can reveal this identity where anyone can see it, and apps can be targeted and blown up on a build-by-build basis if need be. Finally, because the authentication procedures are highly reliable, there is an accountability chain back to the original publisher. In all the writing I've seen on this topic, I have yet to learn who the actual originator of these trojans is. That's because nobody knows. If full authentication using proven methods had been required prior to publishing on the Android app store, that would not have been the case.