Email stealing Android threat imminent?


Up until now, mobile malware has received plenty of hype, even in lieu of a threat to justify the hysteria.

Yet this is set to change, possibly even before this year is through, according to one security pro.

Before 2011 closes, head of BitDefender Online Threats Lab Catalin Cosoi thinks we will see the first rogue Android app able to intercept and redirect email.

"It is very easy to create a malicious app to take emails and send them somewhere else," Cosoi told IT Pro

"All you need to do is ask for permission. If people want an app, very few will look at permissions."

So when might we see such an app? "I guess by the end of the year," Cosoi added.

If such a rogue app does appear, it will be a big threat to business, particularly given the amount of sensitive company data is sent via email, he said.

It is very easy to create a malicious app to take emails and send them somewhere else.

To dupe users into accepting these permissions, cyber criminals may decide to have their apps pose as productivity software.

Some legitimate productivity applications already ask for permission to access users' emails. The hugely popular Quickoffice Pro, for instance, asks to be able to read Gmail messages.

A malicious app would do the same, but then send emails to cyber criminals for potential financial gain.

Cosoi said the Google Android security model was flawed, as the company was pandering too much to developers.

Instead of focusing time on ensuring each and every app was perfectly safe for users to download, Google is placing too much emphasis on making it easy for devs to get their software on the Android Market, Cosoi claimed.

"They don't test security very well," he added.

"[Once you've created an app], you only need about two minutes before it is on the market."

Google said it didn't have a comment on Cosoi's comment, instead pointing to this Android developer policy page.

Time to market?

There is little information on how long it takes to get an app up on the Android Market after creating it, and on whether Cosoi was right in his assertions.

However, Google's online documents hint that much of the power lies in the hands of the developer.

"To publish your application on Android Market, you first need to register with the service using a Google account and agree to the terms of service. Once you are registered, you can upload your application to the service whenever you want, update it as many times as you want, and then publish it when you are ready. Once published, users can see your application, download it and rate it," the Android Developer site reads.

Nevertheless, Google is fairly convinced its security model protects users.

"A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user," the developer site read.

Android has gained plenty of hacker attention in the past year. McAfee data from last month showed the amount of Android focused malware spiked 76 per cent in Q2 of 2011, when compared to Q1.

Of all new mobile malware created in the second quarter, approximately two thirds was aimed at Android.

According to G Data, mobile malware spiked 273 per cent in the first half of 2011 over the same period in 2010.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.