The Dangers of Direct APK Downloads
mobilesecurity.com [London, UK] Android is a fairly liberal operating system with an equally liberal community. For example, if users want to root a smartphone or tablet and understand the risks of rooting, there's plenty of advice and support on how to do so. Apps requiring root access are even available through the official Google Play store, which goes some way to convince Android users that rooting is a legitimate option.
However, one issue with such an open ecosystem is that downloads finding their way onto the device don't have to come from official sources. In fact, the temptation for the more curious or technically aware user may be to download .APK – or Android Application Package - files directly to the device, or 'sideload' as it's known.
APK files contain the data necessary for apps to be installed on an Android phone or tablet. With the Android community being open to all, downloading APKs from the Google Play store is the common practice, but the files themselves can legally be hosted, distributed and downloaded from anywhere on the Internet.
This can lead to issues. Whether the download is delivered from a website to a PC (before transfer to an Android device), or directly to the device itself, as with all file downloads it's imperative that the user exercises caution. Having as much information about the .APK and the provider as possible is common sense, but it becomes more important as criminals seek to gain access or control of our devices and have to turn more and more to sideloading to get that access.
Whilst malicious apps have previously been found in the Play store, Google has spent the past year putting in place steps to reduce the chances of it happening again. First it has started employing a cloud-based filter, meaning the chances of infected APKs appearing in the Play store has lessened.
'Bouncer' is the codename for Google’s filter, and it's been an added security layer since February 2012. With Bouncer active, the weeding out of malicious code has improved, but obviously outside the store all bets are effectively off.
Previously downloading such files directly has greatly increased the chances of malicious bits of code and malware finding their way onto your device. However, Google has again sought to provide additional security here. Since the 4.2 'Jelly Bean' update to Android, Google has tried to restrict the chances of users falling prey to criminals.
How? Well, there are now two new features available to raise awareness of any unwanted guests. The first is the 'Verify Apps' option. Found under in settings Personal > Security > Device, the option is on by default and employs a check on all apps being installed with signatures on Google's servers. Depending on the result of the check the app will either be installed, blocked or be able to be installed but with the user shown a warning of potential risks.
The second feature will simply warn Android users before a device tries to make a premium rate text. This is a prime objective of criminals when it comes to device hijacking, because it's what makes them the most money. But with Jelly Bean the user will be notified when this action is attempted, and so can be alerted to any dodgy behaviour.
Both tools are smart additions to help users in the fight against the dangers of direct APK downloads. Google isn't likely to ever actively stop users from doing it of course. After all, such flexibility is what comes with an open source operating system. And for that reason users need always be aware of the risks and take steps to prevent potential threats. Google can continue to help, but we also advise checking apps through our AppView tool and having mobile security installed on your device.