Rogue Phishing App Found in Android Marketplace

It was recently discovered that an application on the Android Marketplace posing as a legitimate banking application was actually a cover for a phishing app attempting to gain user names and passwords. Although the malicious application was quickly identified and removed from the Android Marketplace it is still advised that you check your device for any applications from developer “Droid09” and delete them immediately. The application targeted customers of First Tech Credit Union. While the financial institution wishes to ensure customers know of this type of fraud, they also assure them that accessing their account via the web browser from your device is still 100% secure.

As a side effect of this incident we start to wonder whether Google’s application review process is really the most secure and effective. After a developer posts an application in the Android Marketplace users are able to download it within an hour. One of the largest positives to choosing Android over an iPhone for developers and users alike was the fact that applications would not sit through lengthy review processes and users could access any type of application no matter what functional purpose it served; besides malicious ones.

So I pose to you this question… Should Google review its Marketplaces policies and review process? Or is it fine as it is?

(via First Tech Credit Union)


  • Jimbo831

    I think the application review process is just fine as is. People need to use common sense to combat these types of problems. If an app is asking for your financial information, do your research before providing it. I use the Mobile Banking app for Android with my US Bank account. Before I entered my information, I researched this information on US Bank's website where they showed their compatibility with this software and how it works. If your Bank makes no reference of it or doesn't know about it, don't use it. I don't think all of us should suffer through a horrible app review process because of the few gullible people with no common sense.

    • Guy

      You mean the way people used common sense with sensitive information and downloading malicious apps on Windows? People typically don't use common sense. Even now after all this time and that most people SHOULD be aware of potential problems, they still hit that download/install button for those "free" emoticons.

      This time it was pretty lame (though some people apparently did get hit, I haven't seen anything from most of these articles or from the bank that specified numbers), next time maybe it won't be. Android is a relatively new OS and extra special care needs to be taken so that it doesn't become that "problem" mobile platform. I use an iPhone but that doesn't mean that Apple shouldn't have great competition.

      • True, most people typically don't use common sense. Those people get punished for their foolishness. I would never be a perpetrator, but it's because of malevolent folks that "Let the Buyer Beware" became a prevailing attitude.

        Apple is bound by their own conventions to provide a flawless experience for their users. But that means that they, and practically they alone, are obligated to set eyes on every piece of software that they want to offer through their store. If the Android Market can strike a decent balance between oversight and openness, then the Android experience will improve as long as thoughtful and cautious people working with Android add to its value. Those people are both the developers who make the apps and the users who use them.

        • "most people typically don't use common sense."

          If that's the case, that just means that they _are_ using common sense. Common sense is, "ooh! Neat! I'll take that!" Uncommon sense is, "hm, this looks suspicious. I'll examine it more thoroughly before indulging."

          If Google wants a strong market share and loyalty from its customers in the mainstream consumer electronics or PDA phone markets, they're probably going to need to compensate for modern day "common sense" and adopt a more skeptical approach to the offering of applications written by third-parties. Or they can let it be open, but have a key-sign approach to it where Google can sign off on verified applications so that the user knows that the current app they're considering downloading has been verified as authentic by Google or a big red sign that says "Not Verified" or something if not yet validated.

    • renz

      now i know thank for info …

      guys check out this website

  • As a developer, i wouldn't like a cumbersome application review process as is done for the iPhone.

    However, I wouldn't mind a form of voluntary 'developer review & verification' process, that is secure and reliable, so that when customers buy from a developer, they can be sure that his/her products are not malicious. This 'process' wouldn't say anything about the quality of the applications. It just would verify and proof the reputation of the developer.

  • Given a choice I would take iPhone-style review over Google anarchy. And not just for security reasons. Things like browser bookmarks, endless RSS viewers, half-baked and broken apps should be weeded out by some sort of process which I as developer with apps on market will not mind at all but as user will definitely benefit from.

    • Robert

      It's an excellent point that "half-baked" apps have no business being presented for general use. Perhaps this is another reason for having an optional application certification process: if I want to release an application for testing by a larger group of users (perhaps I'm writing a massively parallel role-playing game), I would like to be able to release to people who are interested in it and willing to help test the network, despite the fact that it wouldn't pass muster in the review process. In fact, this kind of large scale pre-release has often been used by cellular / mobile carriers so that they can broaden their network testing without alienating the "it should just work" customers.

  • Robert

    This is a tough issue. While I am not in favor of Apple's draconian control of the application process, I realize that their motivation is to ensure a feeling of safety for their users. Consider that the iPhone is targeted at general consumers who don't have the wherewithal to differentiate between trustable and dangerous applications and authors; without guidance, these users are likely to succumb to fear and uncertainty and decide that smartphone apps just aren't safe. When that happens, the iPhone fails to reach its target audience, and we all lose (mass appeal drives down the cost for technology).

    Given all that, I still personally can't condone the censorship and capricious nature of the Apple approval process. The motivation for developing applications starts to disappear when developers can't rely on selling an application (even when "selling" it for free); and this, again, is bad for everyone, developers and consumers alike.

    Catch-22! The best solution I can think of is to have a two-stage system. Applications are admitted into the market using the current process; but there should also be a "vetting" process that allows applications to be certified as safe. This could be handle by Google or conceivably by a reliable open group; there are many options. Whatever the certifying group, the process must be open and reliable so that consumers can get "safe" applications without forcing developers from eschewing the certification process (and any associated time or fees). Applications could be submitted to the market place and then later re-submitted as certified applications (replacing the original one).

    Why wouldn't all developers want their apps to be certified? Developers selling consumer games and applications certainly would; but then developers, writing for the developer community (or for their friends), wouldn't need to do this at all (just look at the jail-broken iPhone ecology).

    There are many arguments in both ways, but I think this approach is the most balanced.

    • I absolutely agree that "general consumer" will shoot herself in the foot given a slightest chance. I always laugh when developers demand discretion from their users. Your app/phone/device will be abused in most awful and unspeakable ways and it is your job (as a developer) to protect the user as much as possible

  • Justa Notherguy

    > […] we start to wonder whether Google’s application review process is really
    > the most secure and effective.

    'We' do, do 'we'?

    Well, despite Apple's glacially slow and frustratingly obtuse review system,
    Storm8 slipped through a game with a phone number-logger…and they say
    it wasn't even done intentionally.:

    So, what might they have included on _purpose_? A key-logger? I have no
    doubt that was a possibility.

    Do 'we' wonder about Apple's system, as well? We damn well should.

    • I suspect that Apple’s review process has far more to do with branding and the monopolistic tendencies of Steve Jobs than it does with consumer protection.

  • Rich

    I'd like to see an optional more rigorous review. Developer's could decide if they wanted the more rigorous review (which would delay it's appearance on the Market). Apps that have had the more rigorous review would be marked (and could be searched).

  • I didn't think I'd spark so much debate, odd thing is that this incident happened back in Mid-December of last year. I really like @Robert's idea for a certification process, although it isn't perfect I think it's the best possible solution. (Sounds kind of like certified Facebook or Twitter Accounts).

  • spavis

    i like Rich's idea too, though it opens up the discussion to whitelist vs blacklist.

    Even if you keep the instant publishing format and add in a optional certification step afterwards you're going to end up with a long backlog of apps that want to get certified and be in the same boat as apple with long wait times with users then only considering certified/whitelisted apps.

    apple and facebook whitelist
    wikipedia and cragislist blacklist.
    twitter both whitelists (verified accounts for celebrities) and blacklists (deletes accounts of spammers).

    not every joe schmoe with a twitter account is eligible for the "verified" badge. and maybe that should carry over to andorid apps. maybe only a certain class of apps, banking or shopping apps (anything that gets ahold of your money) could be eligible to be certified. whereas games and other utility that require no personal information wouldn't be eligible or expected to be verified.

    and maybe flagging apps could be stepped up with software analysis akin to apple's (though theirs is simple only flagging for private api calls and such). so when an app is published it's put through software analysis and if any anomalies crop up a warning badge can be put on the published app's page allowing the developer to address it and notify a peer/google review group to look it over. so that would clue the community in to apps that should be reviewed and not rely solely on user reported problems as well as warn consumers about possible issues without preventing them from downloading it. if the problem was erroneous, the warning badge would be removed and the app could then certified (if necessary).

    the biggest problem of course is implementation. either google would have to top-down create a different or more rigorous review process or it would have to develop bottom-up from developers, similar to wikipedia's editor community, and that would depend on the unification of the community.

  • Common sense would not let me use an app for banking not made or approved by my bank.

    We already have the "Rate It!" system, plus the review to alert other users. Then there is the "Flag as inappropriate"… all that should be enough to let the users look after Android Market without having that will stop Developer to be free and quick to push update to the Market?

  • I think the common sense would be the way to go for an open source product but consumers will do stupid things at times. It might be good to have a secondary store or maybe a certified section that are apps that the developer has paid Google to review. This way it is not everyone that needs to go thru this process and Google gets paid for their time to certify that it is not malicious.

    I myself certainly look at some apps that access everything and wonder why do they need that. If it is a well knows developer I am not too worried but the access review that the store shows you certainly has me not installing a few strange apps.

  • I may be a cynic, but why in the would you download a bank app NOT from your bank. Not exactly brilliant.

  • Here's what you do. Let the free market run FREE. Google doesn't need to do ANYTHING with this situation.

    If i had any kind of developing skills, I would pounce on this opportuntiy and contact as many developers as I could on the Market and start a developer-volunteered project mixed with regular user feedback to make some kind of easy process to identify that an app is safe. Something like WoT addon that firefox uses. Maybe something like "This application has been certified as a Trusted Android Application according to Trusted Android Certification.." in the application description or something like that.

    The difference between letting users protect themselves on Android vs. Windows is not even a fair comparison. Windows, code can be run without a user even having to do anything (open up any website with an advertisement in IE or even Firefox). Android, you have to install the application in order for it to even get on your phone. The arguement is better comparing security in Android to Linux (since Android = Linux). In the Linux world, you are very unlikely to get a virus or malicious software unless you INSTALL it!

    I love the idea of having some kind of certification, but in reality, if you can't research an app before you install it when it comes to personal information, maybe a smartphone isn't for you?

  • we need to ensue that its secure and reliable

  • John

    Cheers for this high quality story it turned out a joy to look at.

    Steve Fallon
    garmin forerunner 205

  • Pingback: mocoNews Quick Hits 1.11.2010 — paidContent()

  • Pingback: туроператор по израилю()

  • Pingback:

  • Pingback: How to find Twitter Bootstrap templates 2013()