Why Google, Apple can't keep malware out of app stores
Google and Apple just removed a popular third-party Instagram app from their online stores after reports surfaced that the app was stealing usernames and passwords and then using the ill-gotten credentials to post spam to Instagram accounts without permission.
The malicious nature of the app, marketed as "Who Viewed Your Profile - InstaAgent" on iOS and "Who View Me - InstaAgent" on Android, was first pointed out this week on Twitter by a developer named David Layer-Reiss. An emailed inquiry by The Post to the contact listed for the Android app bounced back as undeliverable.
The app was removed from both company's marketplaces by Wednesday morning. But by the time they were taken down, the Android version had received between 100,000 and 500,000 downloads, and the iOS version was reported to have made the top download charts in several countries.
But how did it get into those marketplaces in the first place?
Neither Google nor Apple would comment directly on the app. But it's worth using this incident as a teachable moment about the security of mobile apps generally.
When mobile malware shows up, it often originates from third-party app stores or direct downloads. That's because Apple and Google both have systems in place to review apps before they make it into their marketplaces.
Apple has long reviewed all programs submitted to the App Store - sometimes to the chagrin of developers, who complain about lengthy wait times before approval.
The company is pretty quiet about what the actual review process entails, but it is thought to contain both manual and automated elements and is focused on making sure that apps "operate as described and don't contain obvious bugs or other problems."
And so far, its approach seems fairly effective - despite occasional proofs of concept malware slipping through over the years, and an incident in September when malicious apps made with counterfeit copies of Apple's development software were removed.
While iOS is clearly not immune to problems, Apple's tight control over the App Store coupled with Android's larger market share has made the latter a more juicy target for hackers. According to Cybersecurity firm Pulse Secure's 2015 Mobile Threat Report, Apple's mobile operating system is "almost completely out of the equation for mobile malware development" due to those factors.
In comparison, Google's approach to reviewing apps for security has historically been more hands off.
The company unveiled a service, dubbed "Bouncer," that automatically scanned the marketplace for malicious software back in 2012. But it wasn't until March of this year that the company announced that all apps were being reviewed before they were published in Google Play, its app marketplace.
"This new process involves a team of experts who are responsible for identifying violations of our developer policies earlier in the app life cycle," Eunice Kim, product manager for Google Play, wrote in a blog post about the change, which was quietly rolled out several months before it was made public.
The process also includes automated elements. "Google's systems use machine learning to see patterns and make connections that humans would not," the company's latest annual report on Android security explained. Google said it analyzes "millions of data points, asset nodes, and relationship graphs to build a high-precision security-detection system."
At the time the report was published, the company said over 25,000 apps were updated to remove potential security issues due to warnings its automated systems delivered to developers.
And, as noted earlier, Android seems to attract more malware. Android apps have garnered 97 percent of mobile malware development to date and continues "to offer the lowest barrier to entry among all mobile device platforms currently available," according to the Pulse Secure report.
Google's efforts to clean up its app market have relegated almost all of that bad software to third-party app stores, the report said. However, malicious apps still seem to show up within Google Play fairly often.
And some experts warn there's likely more malware lurking in Apple and Google's official app stores than we think.
"This is just one of probably thousands of malware that aren't caught," said Tyler Shields, a principal mobile security analyst at Forrester Research. In some cases, it may be very hard to tell what even is malware because questionable practices may be more discrete, he said.
Shields also worries that Apple and Google's review processes are too opaque, so it's hard to evaluate how effective they are - and that the business model that underlies app stores doesn't lend itself to the most stringent security practices.
"At the end of the day, Google and Apple will only be incentivized to improve security to a certain point," he said. "They make money by having more apps in the app stores, and having apps that contain in-app purchases." If something is obviously malware, they'll reject it, but an app that may be borderline or has hidden its malicious intent well will be more likely to make the cut, he said.
Shields recommends that consumers be careful about which apps they install on their phones and look closely at who developed them. He also suggests using a mobile anti-virus product from a well-known cybersecurity vendor.
"While it's not going to be foolproof, it'll help," Shields said.