Google’s response to the recent discovery of malicious apps in the Android market place is proof that we’re now entering a new phase in malware mitigation. Can you imagine Microsoft automatically pushing an executable to (part of) its user-base with no opt-out option?
This essay is not about the privacy implications at play here. New platforms mean new challenges but this scenario also presents us with some new opportunities.
One of these challenges obviously is keeping malicious apps outside of the market. Some have mentioned charging a higher fee for an Android market developer account — which allows uploading apps — as a good means of upping the threshold.
$25 fee for signing up
While the idea has some merit, it’s hard to envision it becoming successful in an underground world which is dominated by stolen credit cards.
Instead, Google (and others) should spend more effort confirming the identities of those who publish apps.
Only rudimentary details are being asked for
The vast majority of malicious domains out there are registered with fake credentials. However, when it comes to handing out certificates things are generally much better. There’s not a huge amount of fraud in this area.
This has a great deal to do with the amount of scrutiny most certificate authorities put their clients through. Though the high(er) prices that certificates cost will certainly help as well.
It’s the combination of the two that’s extremely potent. High prices mean little when someone can easily get away with using a stolen credit card.
While the combination is the most secure solution, it may stand in the way of business strategies. Having said that, I’m strongly convinced that more scrutiny over market developers’ identities will be of great help to the ecosystem.
Not only will it help deter cyber criminals, it will also help catch them in case they try something malicious.
*Roel Schouwenberg is a senior researcher for Kaspersky Lab. He is a member of the company’s Global Research & Analysis Team and focuses on all aspects of cyber security.
