Holy Terms of Service, Google Zaps Apps Remotely From Droids
Apps for Android devices that are deemed malicious can and will be nuked by Google. In a recent case, Google did just that by demonstrating its ability to remotely detonate apps that were misrepresenting themselves.
In this case, two apps built by a security researcher was suspected of malware. According to Google's Android Developers blog, "these applications intentionally misrepresented their purpose in order to encourage user downloads." In stead they were used with ill intent to access the private data of users. Google has not revealed the names of the applications nor developers but said they were applications that were said to have been built for research purposes (see update below that identifies the researcher and motive behind creating this app).
While most users did not see any value in the applications and uninstalled them on their own shortly after downloading them, Google decided per the Android Market Terms of Service to exercise their 'remote application removal feature' on the remaining installed copies to complete the clean-up.
The remote feature is one of many security controls Android possesses to help protect users from these types of malicious applications. In case of an emergency, a dangerous application could be removed "from active circulation in a rapid and scalable manner to prevent further exposure to users." According to Android Developers blog, "while we hope to not have to use it, we know that we have the capability to take swift action on behalf of users’ safety when needed."
While Google notifies users when it removes an application from their phones, it's unclear why they chose to publicly discuss the removal of this particular application on its blog. Last year, in a filing with the U.S. Federal Communications Commission, Google said that it had taken down about 1 percent of applications that had been uploaded to the Android Market because they failed to comply with Google's terms. It did not describe such takedowns on its blog each time they happen.
Many other companies have similar remote "kill switches" for their devices, and Google has attracted little criticism for this tactic compared to some other online companies. In July, Amazon was asked to address criticism from users after it remotely deleted George Orwell’s 1984 from Kindle's eBook readers following a copyright violation. Two years ago, Steve Jobs confirmed that the Apple iPhone and iPod touch had a kill switch that enabled Apple to remotely delete malicious or inappropriate apps (porn apps being the most recent).
Update - June 25 - Forbes uncovers the culprit behind the "malicious app." The Android apps were created by security researcher Jon Oberheide to demonstrate a method of creating a "botnet" of hijacked phones. By cloaking an application capable offering preview pictures of the upcoming "Twilight Eclipse" film, he tricked more than 300 users into downloading the software. After it's installed, the app periodically "phones home" to check for any new code that Oberheide wants to add to the program, including malware.
Like most researchers who publicly reveal their hacks, Oberheide isn't aiming to hijack users' phones--only to demonstrate the vulnerability of Google's system in the hopes that the company will fix the problem. If it doesn't, it may be only a matter of time until a hacker with less scruples and less regard for Robert Pattinson fans discovers the same trick.
The lesson: a less friendly developer could have used that bait and switch to plant malware on users' devices.
Please sign up to get my latest updates here.