The United States Department of Justice (DOJ) has seized three websites for alleged copyright violations. The sites are accused of illegally distributing Android apps. When dealing with third-party mobile app sites, though, pirated apps may be the least of your worries. The more pressing concerns: your privacy and security.
One of the defining features of Android is its “openness”. In contrast to other mobile platforms, Google’s Android ecosystem allows users much more latitude in customizing the mobile device itself. It also enables users to acquire apps from a variety of sources outside of the official Google Play store.
In the case of the websites targeted by the DOJ, Android’s openness simply means that users may be unknowingly buying illegal, pirated apps. However, the lack of a review process, or any sort of curating of the apps by a trusted source also means that it’s much easier for malicious apps to be distributed as well.
Just this week a new piece of Android malware was found to be infecting an estimated 500,000 devices. SMSZombie steals money via fraudulent SMS payments, and is exceptionally difficult to remove. The malware was downloaded from third-party Android app sites by users who believed they were downloading a benign wallpaper app.
Apple more or less pioneered the concept of the app store. In fact, it has engaged in trademark litigation against Amazon claiming that it owns the right to the very term “app store”. One thing that sets Apple apart from Android when it comes to apps is that legitimate apps can only be acquired from the official Apple App Store, and those apps must all be reviewed and approved by Apple before being made available to the public.
There are rogue third-party app sites for Apple devices as well, but they only work with jailbroken iOS devices. Jailbreaking essentially removes the restrictions and limitations on the device--enabling it to download apps from outside of the Apple App Store. However, it also removes security controls and opens the iOS device up to potential malware attacks or compromise from malicious apps.
Amazon has its own Android app store, which straddles the line between Android’s openness and Apple’s “walled garden”. The apps distributed by Amazon are reviewed, so the apps are ostensibly safe, and users can download them with greater confidence.
Curated or not, though, no app store is invulnerable to malicious apps. Respected security researcher Charlie Miller demonstrated that even the Apple App Store is vulnerable by sneaking an app with a malicious payload past the Apple reviewers. He’s not the only one, either.
It makes sense to exercise some discrimination when acquiring apps. First, only shop at or download from sites that seem credible and reasonably safe in the first place. Second, check out the reviews for apps, and stay away from shady apps or apps with an abundance of negative reviews.
Most importantly, though, users need to recognize that mobile devices--whether smartphones or tablets--are essentially just mobile computers. Attackers have taken notice and new threats against mobile devices are being discovered at an alarming rate.
You should use the security controls available on the mobile device itself, and make sure you use some sort of antimalware or security tools to protect your mobile devices, and your traditional PCs from malware threats and other attacks.