China’s Unofficial Android App Stores are Malware Minefields
An investigation has found that China’s numerous unofficial Android app stores lack basic security checks on the apps they distribute – and that as many as 95 percent of Android users in the country are therefore at risk of malware-filled apps that they’ve downloaded from such sources.
As PO’s resident Android geek, I’ve closely followed this trend in China that leads away from Google’s (NASQAQ:GOOG) own Android Market, to localized sources that offer faster download speeds and don’t require a Google account to use. There’s plenty of choice, too – from web giant Tencent (HKG:0700) to smaller start-ups hoping to fill a niche. A few months ago, I made a list and overview of China’s eight best alternative Android app stores.
But, this new investigation shows that even some of those are unwittingly supplying malware-tainted apps that can steal data or cost you money by, say, auto-subscribing you to SMS/MMS services.
しかし、それら上位ストアであっても、データを盗み取ったり SMS / MMS サービスへの自動加入により課金を発生させることができるマルウェアに感染したアプリを無意識のうちに配信していることを、本調査は示している。
しかしこの新しい調査によれば、それらの企業のいくつかは知らないうちにマルウェアに汚染されたアプリを提供してしまっていることがわかった。それらのマルウェアはデータを盗んだり、SMS/MMSサービスに自動的に登録させることで利用者にお金を使わせることができるものだ。
しかし、この新しい調査は、これらのストアでさえSMS/MMSへの自動申し込みと言うことによって、データを盗んだり課金をするマルウェア化されたアプリを無意識に供給しているものもあることを示している。
There appear to be two kinds of Trojan apps – either a new app is developed that hides its malicious purpose (eg: a hastily-made weather app that actually just plunders your contacts for email addresses and numbers that it can spam); or a nefarious developer pirates a well-known app and modifies it to contain his own malware.
The Chinese website TechWeb, for its investigation, made a rough app called “Hot Wallpapers” – just the kind of crappy yet populist app that sometimes hides malicious code. It had been made with a gaping security hole, to see which app stores would spot it and reject it. The reporters then submitted the dodgy app to five of the eight alt markets that I reviewed before – to GoAPK, HiAPK, Gfans, PeaPod, and the Innovation Works-backed AppChina – and, lo and behold, all five services accepted the app after a brief review process. “Hot Wallpapers” is pictured above, listed in the PeaPod market.
It’s not clear what the approval process at each market entails – but all of them missed the threat, and are thereby just blindly peddling malware, with no care for users security.
Although it’s the spamming and data-stealing hackers who’re to blame for this, the numerous app markets need to take responsibility too – before they get hit with a legal challenge. A Shanghai lawyer said to TechWeb that if the store charges a fee to developers and/or users, then they likely do have legal liability in the event of being sued by a victim of a malicious app.
これに関して非難すべきはスパミングしたりデータを盗んだりするハッカーたちだが、数多くのアプリマーケットも、法的に訴えられてしまう前に責任を負う必要がある。ある上海の弁護士はTechWebに対してこう述べた:ストアが開発者やユーザーに課金すれば、悪意のあるアプリの犠牲者から訴えられたときに法的責任を持つようになるだろう、と。
これはもちろんスパム行為とデータ盗用を行うハッカーを責めるべきことではあるが、多くのアプリ提供サービスも、法的措置にて罰される前に責任を負っていく必要があるだろう。TechWeb が、悪質なアプリによる被害における訴えを被害者に起こされた場合、当アプリストアが開発者および/もしくはユーザーに課金を行っていたとすれば法的責任は免れないだろう、と上海のある弁護士はTechWeb にそう述べた。
Google itself, I feel, doesn’t do enough to ensure the security of apps – so it’s asking a lot of smaller rivals to beef up their security too. A contrasting approach comes from Apple, which takes days or weeks to more carefully vet all apps that go into its official iTunes App Store.
Smartphones carry more of our personal data than our laptops (in many instances) and yet are more likely to be subject to these kinds of dangerous apps. But that doesn’t mean we need such a ring-fenced approach as Apple takes. If using iOS is like walking around Disneyland, then using Android is like walking the streets of New York – you’re more likely to get mugged or beaten-up, but it’s the real world. We, and our smartphones, live in the real world.