In addition to adding new multi-user capabilities and a panorama feature, the upcoming Android 4.2 release will introduce new security features which, until now, Google has been surprisingly quiet about. Inan interview with Computerworld, Hiroshi Lockheimer, VP of Android Engineering at Google, detailed two new security features in the latest version of the mobile operating system – a reputation service for apps and a system to protect users from being ripped off by expensive premium rate texts.
Version 4.2 of Android includes what is essentially cloud-based anti-virus software, which warns against known malicious files on request. If the “Verify apps” options is selected, prior to installing an app from a source other than the official Play Store (a process that is also known as sideloading), Android will checks a signature of the APK installation file with a Google server. If the server classes the signature as belonging to “dangerous malware”, installation will be blocked. If the app is known to be safe, the installation will proceed unimpeded. There is also an intermediate stage for apps that have “raised red flags” and been classified as suspicious but show no definite evidence of harm; in these cases, users will be warned of the risks and allowed to choose if they want to install the app anyway.
Google collects information on the intent of apps primarily through its Play Store infrastructure. To weed out malicious apps, Google runs all apps which are accepted into the official download catalogue on its Bouncer anti-malware system. As a result, the company now has a database of more than 700,000 apps and their behavior. In the interview, Lockheimer mentions that Google also scans .apk installation files on the web.
Android 4.2 will also warn the user before sending a premium rate SMS message. Premium rate texts are currently the most lucrative fraud technique for malware apps. Whilst the extent of the problem remains modest in the UK and Germany, some other countries are reporting something of a plague. A French hacker, for example, is reported to have lightened the pockets of 17,000 people by a total of €500,000. The problem is also costing users in China millions.