The Android Market Security Tool March 2011 does not patch the underlying bugs that were exploited by the malware-infected apps, said Mahaffey, but does appear to remove traces of the malicious code that aren't erased when the apps are uninstalled. Lookout is continuing to dig into Google's tool for more insight into its workings.
According to Google, Android 2.2.2 and earlier contains the bug, but later versions, including Android 2.3, aka "Gingerbread," do not.
Unlike Apple, Google does not distribute its own mobile operating system updates, whether security-related or otherwise, but relies on carriers to do so. Google launched Android 2.3 in December 2010, but as of mid-February, the bulk of Android phones -- nearly 90% by Google's numbers -- were still running older, and thus vulnerable, versions of the operating system because carriers often take months to roll out Android updates.
Analysts have also blamed Google's lax app publishing policy for allowing the infected software onto the Android Marketplace.
"Google will change its model," said John Pescatore, a security analyst with Gartner Research, referring to Google's current practice of not vetting the apps listed in the market. In contrast, Apple closely reviews all apps that it places in its App Store, which is also the only sanctioned outlet for the iPhone.
"Google's search engine tells users when it suspects a site might be distributing malware," Pescatore noted. "That's what the market wants in a search engine and in mobile. People don't want to say, 'Oh oh, should I download this app?' They just want to say, 'That's a cool app, I'll download it.'"
Pescatore also knocked Google for resorting to pushing the security tool to users after the fact. "That's the worst of both worlds, if Google says 'We'll continue to let anything in the Market, but then says, 'Download this [anti-malware] app,'" said Pescatore. "Don't force us back to the bad ways of the PC.
"It's so much better to keep the bad stuff off in the first place," Pescatore said. "Come on, Google."
Mahaffey, however, applauded Google's decision to automatically install the tool. "Hats off to Google," he said today.
Sign up for Computerworld eNewsletters.