Some malicious parties, though, have
tried to take advantage of the company's permissive nature. On
December 22, First Tech Credit Union wrote that a "fraudster
developed a rogue Android Smartphone app" that spoofs users with
a fake bank interface, trying to get users to fill in their account
information. That day BayPort Credit Union's mobile bank
provider, MShift, announced similar concerns, stating that it had
contacted Google on the December 15 about another rogue app.
turns out that the developer -- 09Droid -- actually had a plethora of
fake bank apps available on the Android Market, including apps posing
as Chase, Sun Trust and Bank of America. Google has at last
removed those apps from the market, explaining that they clearly
Writes a Google spokesperson, "The
Android Market Content Policy clearly states that we don't allow
applications on Android Market to identify themselves with
third-party marks without permission. If an application violates the
content policy, we will remove it from Android Market, and developer
accounts will be terminated for repeated violations."
add, "For example, we have a policy against inappropriate
content, which includes malware. A developer must also abide by our
Developer Distribution Agreement in order to upload an application to
Android Market. We also may check applications for compliance with
the Market Content Policies (in order to remove malware, porn, spam,
While the Android Market clearly has
rules, it is an interesting question whether Google's permissiveness
is the reason rogue apps like this have been able to slip through to
a greater degree than competitor Apple. Despite an enormous
volume of apps, few, if any, rogue apps have made it to Apple's
iTunes App store thus far.
Regardless of the answer to that
question, Mikko Hyppönen, chief research officer at F-Secure, says
rogue applications are a sign of smart
phone attack attempts to come. He also points out that
smart phone manufacturer Symbian's app approval process has also been
subverted. He writes, "Some of them will try to target
online banking, others will try to call premium-rate numbers or send
text message spam and so [on]. Signing and certifying programs are in
a key position on smartphone systems to prevent problems like this
... [although] we have seen the 'Signed by Symbian' certification
process subverted a couple of times."
quote: Much like when you find such an app on a torrent or ftp server or similar, it isn't the host that you should go after.