Skip Links

Android Market's instant app download a security threat, Sophos says

Malware could be downloaded instead if customers' Google passwords are compromised

By , Network World
February 08, 2011 09:13 AM ET

Network World - Android Market's instant-download feature for applications that customers buy has a flaw: It could open up Android devices to malicious downloads from attackers, according to security firm Sophos.

Learn more: Smackdown: Android Market vs. iPhone App Store

The problem is that when customers buy applications for their Android devices, they are downloaded to the devices right away - without the customer having to approve the actual installation of the software, Sophos virus researcher Vanja Svajcer says in a blog post. 

That could leave the device open to anyone who manages to steal its owner's Google password, says the security firm. "In summary," Svajcer says, "if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself."

The blog notes that when the applications are downloaded, it is done in the background, so customers would likely not be aware.

"The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence," Svajcer says.

Sophos recommends that Google change the procedure so customers have to approve the downloads. In the meantime, the company recommends that customers make sure they have strong passwords that are not easily guessable for their Google applications accounts.

Read more about security in Network World's Security section.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News