Gabor Torok's Forum Nokia Blog - Malware on Android: It has begun

No, I really think it's a red herring

The majority of malware on PCs doesn't get there because people installed it on purpose. There is no distribution mechanism to allow a similar spread of malware on phones at the moment.

For applications that are installed on purpose I believe it will be far more effective to fight malware with a highly visible community review system than some kind of central signing scheme. What I'm saying is that I honestly don't believe the CA adds enough value to be worth the costs involved, including the impact on the developer community and development process.

I do think that other models could be explored relating to identity and trust - for example, if AAS have extensively reviewed a piece of software and it carries a signature that verifies this is the same version they installed, then I'd be pretty certain that it wasn't going to turn my phone into a brick.

You can't beat all malware in this way though - what if there's a trojan in a really useful looking application that only activates the malicious functionality a random number of days after install? How long would it take to identify it as malware via any means?

When there's a real market and open distribution model for smartphone applications they will be a more attractive target for malware, whatever signing scheme is in place. When that happens, there will also be a real market for online backup of personal data and probably also some form of virus protection.

The worst malware is usually inserted in or attached to copies of genuine applications by a third party - i.e. your typical virus writer either can't be bothered to write, or isn't capable of writing, a genuinely good application that will spread his virus. This usually happens without the knowledge of the original author. Something like what we have now with Symbian Signed could be adapted to help prevent this - I don't see the CA as a critical part though, developers own certificates attached to their Symbian Signed accounts would do just as well.

Disagree to agree :)

Well, first, CA-signing helps to prevent from writing even more malicious applications that can do even bigger damages. If it didn't act as a gatekeeper malware could spread freely, no? I agree that self-signed apps can also do big damages, but without CA-signing the situation would be even worse.

Second, what about requiring CA-signing for *every* application? Like what Apple does. That would also be an option, though I must admit that it'd have both positive and negative effects. Positive in the sense that full-accountability would result in less malware, negative in that freeware wouldn't spread quickly. Though AppStore's biggest successes are those applications that are sold at $0.99 ...

Agree to disagree

What does CA-signing really do? Does the CA do anything, or provide any kind of guarantee? I think you'll find the answer is no. It's like the guards with guns at an airport - only there to make the good people feel safe and the potential offenders scared - they aren't actually going to shoot anyone.

Think about it - if you're planning to distribute malware on Symbian or Android you're not going to sign up to anything with your real details! The credit card you use to pay is as good for determining your identity as the company you buy off-the-shelf in some country that doesn't have much in the way of identity requirements. The only difference is that Symbian's system is a little more expensive, which will keep some of the "script kiddies" away. However, you can develop some extremely damaging malware, including most of the types people would most like to avoid (deletion of personal data & running up huge bills with the network) with only self-signed capabilities, and without a central market there's no control mechanism. You could also argue that the lack of a central market is a key reason why Symbian malware hasn't really spread! It's also a reason why genuine applications haven't really spread either.

CA-signing would still help

Mark,

Requiring CA-signing for distribution on Android Market would help, I'm sure about it. Not in this particular case, I admit, but in the future. Developers should see that no malware distribution remains unpunished. Please note that it's another question, as rightly pointed out by Marcus, that MemoryUp might not be a malware per se.

Hmmm, not sure I agree

I don't think CA signing would help in this particular case, and indeed on Symbian OS you could easily write a self-signed intentional malware application that deletes all of the users data that is stored in public locations (like their photographs and even contacts).

Actually I'm not sure the Symbian security model has any advantage over the Android one here - the certificate used identifies the user account on Android Market and that could be barred from future use.

I theory certificates can be revoked and all devices can get a push alert so they won't install an application that has already been signed by the certificate - in practice I don't believe any such infrastructure exists on any mobile platform. Removal of an application from a central application store seems like the most effective means of blocking further distribution that anyone has at the moment.

Really a virus, or just a bad application?

After a quick "google" on MemoryUp, I came up with this page

http://www.emobistudio.com/memoryup_android.html

so I wonder if we are talking about the same thing, as this makes it look to me as if this is at most "snake oil" with bad side effects, but would not qualify as a virus (even if just because it lacks propagation).

This still leads the question of who polices the quality of apps on an "open" market, but bugs leading to data loss probably need different solutions that software that is intentionally malicious.