Android Insecurity uniccam, SWARMSHOPWS

Late last year, a nefarious banking app was discovered on the Android phone marketplace.  This, I’m afraid, is just the beginning.
Doing some Android phone development recently, I have gotten some
hands-on experience with how an application is deployed to the Android
Marketplace.  One big difference between the Google and Apple mobile
software stores is that Apple vets and approves each app before it is
made available for public download.  With Android, anyone who pays the
$25 registration can upload an application to the marketplace.
To upload an application, it first must be signed with your own digital
signature.  This signature need not be certified–you can create one
yourself and it is just as valid as one issued by Verisign.  Signing
your application is the only security requirement that must be met
before uploading to the marketplace.  The information your submit to
create your Android developer account is also not reviewed or
If your application is free, then anyone with a compatible Android
phone can begin downloading and using it.  If the application needs to
connect to the internet, then during the installation the user is
notified “This application has access to the following:  Network
communication, full Internet access,” to which the user clicks OK to
proceed with the install.
There are no alerts about the digital signature coming from untrusted
or unknown source.  All applications are implicitly trusted.  My
Android phone has 800 Mhz processor with 256MB RAM, a worth addition to
any botnet. 
The current protections for mobile applications remind me of web sites
in the mid to late 90s when e-commerce was just starting to get off the
ground and viruses and botnets weren’t daily news (and desktop PCs
didn’t have the same power that we now carry in our pocket.)  People
just trusted anything they clicked, and bad guys realized this and
quickly developed ways to exploit this blind trust.  Now that cyber
crime has become much more savvy and organized, they working feverishly
to exploit this new mobile vector. 
I know mobile apps still have that wow factor, but we have to learn
from the past and treat all Internet enabled devices as attractive
targets for attack today.  These mobile OSes need to have the same
protections we apply to desktop PCs.  We should not continue blindly
assuming that the focus of attack is the desktop PC and not mobile
devices, even though they all have similar hardware specs and are
connected to the same Internet.  Otherwise, this is security by
obscurity, which does little else but to give us a false sense of