Android is well on it’s way to becoming the Windows of the mobile malware world. With 99% of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Love it or hate it, Apple’s walled garden and refusal to allow downloads from third party app stores has paid security dividends. Sure, Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores to save a buck on Candy Crush. Google clearly knows that this will hurt them in the long run, especially in the enterprise space and began making changes with Marshmallow, the latest Android flavor when they switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. This however was a small step and Google will need to get much more aggressive going forward.
Not wanting to lose ground in the enterprise, where Apple has now pivoted, they have little choice. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based antivirus scanning was added through the Verify Apps feature. While yet another improvement, this is clearly not enough as we regularly identify and blog about apps from alternate Android app stores that are malicious in nature. Google will need to take more drastic steps and a likely change is restricting the permissions available to apps not vetted through the Google Play submission process. Expect sideloaded apps requesting Administrator permissions to become a thing of the past. Some developers will push back, but Google will have little choice if they want to get malware under control. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. It does little good when new security features are added, but they’re unavailable to users with non-Nexus devices. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.