February 07, 2011, 2:47 PM — For Android phone users, the newfound convenience of installing apps remotely from the Android Market Website also opens up a security hole for malware.
Google updated the Android Market Website last week to include landing pages for every app along with remote installation, which lets users visit an app page on their computers and send installation instructions to their phones over the air. But as Sophos warns, there are no safeguards on the phone side to prevent someone from installing malicious software.
When you click the "Install" button on the Android Market Website, it's as if you had just pressed the same button on the phone's Android Market app. The software quietly downloads in the background, and a small note pops up in the notification bar when installation is complete.
So if someone gains access to a user's Google account, the user might not notice when that person installs a bunch of software that can, say, send and receive text messages or transmit contact lists.
To be clear, malware purveyors are powerless without the Google account name and password associated with a phone. And if you're using other Google services like Docs or Gmail, you may have bigger problems if someone steals your login information. (All the more reason to pick a good password and protect it well.)
Still, I can't argue with Sophos' recommendation for Google: "As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed," researcher Vanja Svajcer writes.
Remote installation is a valuable feature, but a little more information on the phone side -- a dialog box along the lines of "Here are the apps you just installed from the Web" -- would give users a crucial last line of defense against an attack.
