One in every five apps available in Google's Android Market give third-party applications access to private data, according to a new study from security vendor Smobile Systems.
Smobile, which just happens to offer mobile security software, says it arrived at that conclusion after studying the permissions requested by more than 48,000 applications in the store for Android-based devices.
Most of those data-accessing apps are probably benign -- social networking applications, for example. But Smobile says it found 29 applications that request the exact same permissions as known spyware. Eight apps could render a device unusable, says Smobile, and 2 percent of the software it examined can send SMS messages without the user knowing about it. Five percent of apps could place calls to any number without asking a user first.
Smobile CTO Daniel Hoffman praises the open model that Google uses for Android applications, which has "allowed developers to quickly create and post thousands upon thousands of new applications." But, he claims, the result has been apps that "have the potential to cause serious harm to devices, customers and to the broader cellular network."
While Apple's much-maligned application approval process isn't exactly infallible, and its closed ecosystem is a source of much criticism, the Android Market is creating openings for identity theft, mobile banking fraud and corporate espionage, according to Smobile.
"The Android Market relies on the community to identify and flag applications that either malfunction or are malicious in nature," says the study. "This would imply that there will always be a window where a number of consumers would need to use, test and determine if an application is malicious before it could be removed from the Market."Smobile cites the case of a bank phishing app published by a developer who went by Droid09. The app, which let users conduct banking activities on their phone, required them to enter their account information. Rather than creating a direct link with the bank, though, the app essentially opened up the bank's Web page. "What it actually did with the account credentials that the user provided is still unknown," says Smobile.