14 DAY TRIAL // Security researchers have expressed concern about a feature of the newly released Android Market, which allows people to remotely install software on their smartphones.
A Web-based Android Market that can be browsed from a normal computer with a normal browser, in a similar manner to Apple's App Store, has long been requested by users.
Google finally delivered such a website yesterday, but with an unusual feature that captured the attention of security experts.
It turns out that people who have their phones associated with a Google Account, and many do, can log in on the new Android Market and push any application to their device.
While great for usability, this functionally, and its design in particular, poses serious risks, security researchers claim, because users are not asked to confirm the action on their smartphone.
"Isn’t that convenient? Yes, for you and for anyone who may gain unauthorized access to your Gmail account. This would allow the attacker the ability to purchase and install any app available within the Android Market," warns Kaspersky Lab Expert Denis Maslennikov.
And the fact that publishing apps on the Android Market doesn't require manual vetting by Google's staff, makes this even more dangerous.
It's not hard to imagine a scenario where someone gathers thousands of Google Account credentials through phishing and then uses the Android Market to remotely install a malicious app they just published on a large number of handsets.
"Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed," says Vanja Svajcer, principal virus researcher at Sophos.
In fact, there is a notification on the device which informs the user that an installation has occurred. It doesn't stop the app from installing, but at least it's an indication that something unauhorized might have happened.
Also, as soon as Google discovers the malicious app on the Android Market they can use the remote uninstall feature in order to remove it from people's devices. This might be too late though, as sensitive data might already be stolen by then.