Google announced plans yesterday to fortify the Android Market in response to the appearance of the DroidDream Trojan, but do the company’s plans cross the line from innovative to intrusive? In a blog post, Kaspersky Labs researcher Timothy Armstrong warns that the search giant’s plans to repair Droid phones without user consent may not pass the sniff test.
Google’s efforts to repair infected phones leverage a remote removal feature built into the Android operating system, which some have dubbed an application “kill switch.” But Armstrong notes that the app is pushed to affected devices without their user’s consent (think remote code execution), gains root privileges on those devices and, removes other applications, and deletes itself.
Those actions make the removal app little different from the malware it is removing.
Google’s removal app, also, must be distributed over 3G networks, because the company does not have a client infrastructure, such as Windows ActiveSync or iTunes, for managing device updates. With patches distributed by over the air communication, patches and other updates are subject to the dictates and network coverage of mobile service providers, Armstrong notes.
So, while Google makes lofty promises about better securing the Android application market, their actions, past, present, and proposed seem to indicate that these are little more than promises, and perhaps even a lack of accountability.