Google last week announced it’s beefed up security at the Android Market with a malware sniffing system called “Bouncer.”
Bouncer analyzes new and existing apps, as well as developer accounts. Before apps are allowed to be sold in the market, they’re analyzed to see if they contain any known malware, spyware or trojans.
Apps will also run in the Google cloud to see if they’re exhibiting bad behavior.
In addition, the bona fides of new developers are reviewed to prevent malicious devs from returning to the market after they’ve been eighty-sixed by Google.
Bouncer received plaudits from some security experts. “Its a good first step to add an entry barrier to upfront malicious apps,” Trend Micro Threat Research Manager Jamz Yaneza told TechNewsWorld.
“Over time, filters, including improved sandboxing and heuristics, will add a better layer,” Yaneza added.
“This is a good and really necessary move Google is taking,” Kaspersky Lab’s Global Research and Analysis Team Leader for Latin America Dmitry Bestuzhev told TechNewsWorld.
The effectiveness of Bouncer will depend on the quality of the software it uses to detect malware, he added.
Emulation is also a good tool, but clever malware writers will program their software to act innocently when it detects an emulation is being run on it, he explained.
Finally, vetting new developers is a good idea as well, he noted, but that will probably lead to miscreants hacking into trusted accounts.
“If a developer is already known and trusted by Google, that developer’s account will be a prime target for cybercriminals,” he said.
Fighting Domain Spoofing
Some heavyweights in the email space announced last week a new specification that they hope will curb phishing on the Internet.
Google, Microsoft, Yahoo and AOL pulled the wraps off Domain-based Message Authentication, Reporting and Conformance, or DMARC.
Currently, it’s far too easy for spammers and phishers to fake where their email originates. For example, someone “phishing” for information to break into your bank account might request that info by sending you a message using the domain of your bank. DMARC is aimed at making that kind of spoofing harder.
For years, several authentication methods have been used by email providers. However, “there hasn’t been a decrease in spam or phishing over the years because these standards don’t interoperate and there hasn’t been a broad adoption of them,” Dave Jevans, chairman of the Anti-Phishing Work Group, told TechNewsWorld.
What DMARC does, essentially, is allow an email operator to refuse delivery of an email message if it isn’t from where it says its from. So if a message says it’s from your bank, an email operator can check the bank’s DMARC record, compare it to the routing information in the message, and if the two don’t jibe in some way, ditch the message.
While DMARC is a step forward in the battle against malmail, it’s by no means a silver bullet. “We’re still going to have phishing 20 years from now,” Jevans predicted.
Breach Diary
- Jan. 28: Unknown parties breached the Portuguese website of Universal Music Group and post more than 150 names and passwords of users to the Internet.
- Jan. 31: Anonymous breached the computers of the Salt Lake City Police Department and posted more than 1,000 names and passwords to the Internet in protest of a bill filed in the Utah Senate that would prohibit the possession of “any instrument, tool or device that is commonly used to make graffiti with the intent to deface the property of another.”
- Jan. 31: An unknown intruder breached a Polish coin-collecting website and posted more than 5,200 names and passwords to the Internet. No reason for the attack was stated by the hacker.
- Feb. 2: Verisign acknowledged that it had been repeatedly breached by unknown parties during 2010. The company did not disclose any details on what data was stolen by the intruders but stated it did not believe the attacks breached its servers that support the Domain Name System for more than half the Internet.
- Feb . 3: Anonymous posted to the Internet a 17-minute recording of a conference call between the FBI and Scotland Yard in which evidence and plans against the group were discussed, as well as the email addresses of more than 40 law enforcement officials who received a memo about the conference.
Calendar
- Feb. 8: “Ghosts of XSS — Past, Present and Future.” 11 a.m.-12 noon. Free webinar sponsored by White Hat Security.
- Feb. 8: “Suits and Spooks II: Shaping A Revolution in Security Affairs.” 7:30 a.m.-4:30 p.m. Waterview Conference Center, Arlington, Va.
I’m glad Google has taken the initiative to improve security on the Android platform. Their system "Bouncer" maybe could be comparable to Apple’s review process for apps to make it into the App Store.