Google earlier this week announced that they had remotely removed a pair of apps a security researcher had put into the Android Market. As they said:
Recently, we became aware of two free applications built by a security researcher for research purposes. These applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data — or system resources beyond permission.INTERNET. As the applications were practically useless, most users uninstalled the applications shortly after downloading them.Google did this to also show how their ability to remotely remove apps gives them a security advantage, although Apple has the same feature. The relative openness of the Android Market definitely means that Google has more reason to need such a feature.
After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup.
Of note is, as indicated above, that the researcher had already removed the apps from the Android Market, voluntarily.
While the kill switch feature was known already, what wasn't known is that Google also has a way to remotely load apps onto your Android phone.
In fact it was Jon Oberheide, the security researcher who developed the applications that Google remotely removed from Android phones, who noticed (during his research) that Android includes a mechanism called INSTALL_ASSET. INSTALL_ASSET allows Google to remotely install applications on phones of consumers.
In fact, Oberheide, after voluntarily removing his applications from the Android Market, noticed that Google remotely removed his apps (Twilight Eclipse Preview, and Rootstrap) from his own phone. He found that cool.
Talking with Rich later, this was apparently the first time the Android team invoked the remote kill functionality. I had assumed it had been used frequently in the past, but apparently attackers have been slacking off. Rich covered their use of the remote kill functionality on the Android Developers blog today.It's a little less clear why Google might want a remote install ability. We could see trying to install some sort of security package onto a smartphone, but since you could kill any such malware, that seems unnecessary. Or perhaps, it's as Oberheide said in an interview:
Now, the Android platform not only allows for the removal of applications remotely via the REMOVE_ASSET intent, but also allows for the installation of new applications via the INSTALL_ASSET intent. If some people are upset that Google retains the ability to kill applications remotely (I personally prefer the potential security gains of the functionality), I fear what they’d think of the INSTALL_ASSET feature. ;-)
"I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too. I don't know if they've used it yet."