Sophos' Concern Over Android Market Website Real or Unfounded?

Security firm Sophos warned on Friday that the new Android Market website, as currently configured, could present a security hole for Android users.  However, given the way this website works, in reality it's not really that much of a concern.

As noted by Sophos, when you select an app from the Android Market, and approve its installation on your phone, it is more or less immediately downloaded to your smartphone. While a user has to approve the permissions an app requires on a device after the installation on the website, when it downloads to the Android phone, no user intervention is required.

As Sophos notes, this means that if an end user has their password stolen, a hacker could install malware on their system without intervention. The malware could be used to obtain any amount of personal information that could then be used for financial gain.

The article then goes on to recommend different ways to encourage Google to fix this issue ASAP.

Of course, what wasn't mentioned in the article is that if your Google account password is stolen, you have a lot more to worry about than just your Android phone: Gmail, Google Docs, etc., etc.

Additionally, what's not mentioned is that the Web-based Android Market is just that: a Web portal into the Android Market. It's not a way that someone could use to download some malware onto your system, unless that malware was in the Android Market already. Now, if you could actually use the site to sideload something, that might indeed be an issue. That said, it would be a good security measure to require the app to be accepted on the device, after selecting it on the Android Market website.

However, because you can't download "just anything" via the Android Market, but only market apps, and although we do agree that end users need a strong password for your Google account, and you should also strive to keep passwords separate, perhaps with the aid of a password program like LastPass or Roboform, this is hardly a zero-day vulnerability.
Via:  Sophos
realneil 3 years ago

There's that 'nasty looking hand' picture again!

coolice 3 years ago

Le. Matrix

3vi1 3 years ago

No. Le Male Reproductive Organs.

Next week, Sophos is expected to make another announcement: If someone steals your network password, they can log into your systems and install stuff as you!

There's no new vulnerability here. Open up SSH through your router and watch how many failed logins will start bouncing off your machine from Chinese addresses.

I doubt Sophos has any good idea what Google may be doing to already monitor for this on the server side.

coolice 3 years ago

Hmm, well, I cant disagree with Sophos here... when i installed a few apps from the website.... my phone automatically started downloading them without asking me to install anything.... So if google can allow u to download those apps on the phone through the website and not install them (the installation needs to be verified on the phone by the user) then i appreciate it even more.

A simple, "Install Immahackyourphonenow on this device? " ----- "YES"

That way, its the users fault.

infinityzen1 3 years ago

If your not using a strong password on your Google account then it is your own damn fault. My job requires me to use crazy passwords (10+; symbles, caps, lower, numbers all required) and have different passwords for everything (they check). I just got in the habit of using crazy hard passwords for everything.

acarzt 3 years ago

lol.... yea, what's wrong with that hand?

It's fat on one side, little on the other...

MBarker 3 years ago

RoboForm is a great way to ensure security. It remembers your passwords and login information for you! This means you can have 20 character passwords that are impossible to hack. With RoboForm, you only need to remember one passwords that gives you access to all your logins. You can check it out here: It is also important to note that once you purchase your license, you get the RoboForm for Android, iPhone, iPad, etc. for free!

Post a Comment
or Register to comment