In a blog post today, Google has revealed that it's been working on an automated system to detect malicious software in the Android Market. Codenamed "Bouncer," the service actually involves a variety of checks: besides scanning newly-uploaded apps for known malware, it actually runs each app and looks for malware-like behavior. Google says that it also scans developer accounts themselves in an effort to "prevent malicious and repeat-offending developers from coming back."
Bouncer isn't new — the company says that it's actually been in operation for some time, and that incidences of malware in the Market decreased by some 40 percent in 2011. Clearly, the timing of Bouncer's announcement isn't completely arbitrary, either: the company has been under attack for ages for its lack of Market oversight, underscored recently by an incorrect Symantec report that an ad SDK it dubbed Android.Counterclank was "malware," suggesting it had infected anywhere from one to five million Android devices globally.
Google acknowledges that some security firms have noted a rise in Android malware cases over the same period in which it's claiming a 40 percent decline, but it implies that those installations must be coming from outside the Market:
This drop occurred at the same time that companies marketing and selling their anti-malware and security software have been reporting that malicious applications are on the rise. While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market — and we know the rate is declining significantly.
Sideloading and third-party app stores have been part of the Android story for a long time — the Amazon Appstore is a prominent example, of course, but large app ecosystems exist outside the Market (and out of Google's control) in places like China, too. Does Bouncer's existence more definitively answer the question of whether Google should be taking an active role in curating apps? For some, perhaps — assuming it continues to do its job as well as Google says it's doing — but that still leaves plenty of attack vectors beyond the walled garden.