Does anyone actually read the ToS (Terms of Service) that we have to agree to to do just about anything on any gadget, device or the Internet? Don’t even try to front, you know you don’t. Well, in the case of the Google Android Marketplace, apparently all Android users have given Google permission to remotely wipe apps when they deem it necessary.
Before anyone gets all worked up, it does appear that Google has only done this once so far, but it does leave you wondering when else the company could come into our phones in the middle of the night and take our beloved apps.
According to Forbes, security researcher Jon Oberheide decided to run a “proof of concept” test in the Android Marketplace by building apps that appears to be about the Twilight movie series to see how many people who could get to download them. Hidden inside of them were bits of code that would have allowed him to push out malicious code to the handsets, turning them into a network of phones to send out anything he wanted, essentially creating a “botnet” army. Mr. Oberheide had no intentions of sending out any real code, but he has proven it can be done.
Once Google got wind of this, they removed the apps from the Marketplace, and then they executed the little known feature that would allow them to remotely remove malicious apps from phones that use their Android OS. What is odd is how the company decided to describe the apps in its official blog post on the matter:
Recently, we became aware of two free applications built by a security researcher for research purposes. These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.
“Practically useless”? Why not be up front with people and describe what it is they were built to do, and could have done. By using this description it leaves a very open door to people wondering what other apps could be eventually targeted by the company.
There is also a lesson to be learned here in that Google took no action on these apps until after Mr. Oberheide had publicly revealed what had he done. Meaning that Google had no clue these backdoors were lurking in their Marketplace, or, worse yet, they knew, and just weren’t bothering to take action. What else could be lurking in the Marketplace that they are unaware of?
This story is disturbing on a lot of levels, but all of them give Android phone owners a lot of food for thought on whether or not they have a ticking bomb sitting on their desk.
What say you? Was Google right to handle the situation in this manner?