updated 04:50 pm EST, Thu February 2, 2012
Google details Bouncer and says
Google's Android engineering VP Hiroshi Lockheimer has detailed a process of screening for malware at Android Market that it has quietly been running for the past year. Known as Bouncer, it automatically scans both incoming and existing apps for recognizable malicious code. The routine also runs the apps themselves and checks for hostile behavior in practice, hoping to catch apps with suspicious behavior.
The mobile OS developer also went on the defensive, reacting to a since-retracted Symantec claim that millions of Android devices might have malware infections. Google pointed to Android Market having a 40 percent drop in "potentially-malicious" apps over 2011. This was around the same time that companies were claiming Android malware was growing, Lockheimer said.
He reiterated some of the common tropes of Android's security measures, including sandboxing, an explanation of app permissions before downloading an app, and Google's ability to remotely pull apps if they're found to cause a problem later.
While potentially challenging the opinions of McAfee, Lookout, and other companies that have described a swell of Android spyware and viruses, the comments also gloss over genuine problems Google has had. Bouncer now appears to have been partly ineffective, since it allowed malicious apps multiple times over the course of 2011 that wasn't caught until days later and possibly thousands of infected devices. As described, it can't catch zero-day exploits and could still let scam apps through the store until it's too late.
Permissions have similarly been a regular point of criticism. Much like Windows Vista's over-aggressive security prompts, Android's permissions have often been criticized for not being clear and important enough to make users pay attention. They only catch certain instances of suspicious activity and won't find instances where calls, messaging, or other behavior was already expected.
Although Lockheimer noted that "no security approach is foolproof," there has yet to be an instance of genuinely malicious apps on the iOS App Store, where Apple requires active human approval rather than automatic screening. What code has existed has so far either been a deliberate experiment from a security expert or limited to jailbroken devices, where the OS' usual defenses have been lowered.