Android Market's instant app download a security threat, Sophos says

Malware could be downloaded instead if customers' Google passwords are compromised

Android Market's instant-download feature for applications that customers buy has a flaw: It could open up Android devices to malicious downloads from attackers, according to security firm Sophos.

Learn more: Smackdown: Android Market vs. iPhone App Store

The problem is that when customers buy applications for their Android devices, they are downloaded to the devices right away - without the customer having to approve the actual installation of the software, Sophos virus researcher Vanja Svajcer says in a blog post. 

That could leave the device open to anyone who manages to steal its owner's Google password, says the security firm. "In summary," Svajcer says, "if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself."

The blog notes that when the applications are downloaded, it is done in the background, so customers would likely not be aware.

"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Svajcer says.

Sophos recommends that Google change the procedure so customers have to approve the downloads. In the meantime, the company recommends that customers make sure they have strong passwords that are not easily guessable for their Google applications accounts.

Learn more about this topic

Android: We're Number One!

Developers give new Android Market a thumbs-up

Web store and in-app purchases coming to Android

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies