After a long phoney war when a lot was said but nothing much actually happened, Android is finally facing the predicted surge in app criminality that its open software model invites.

This droid.jpg
This droid.jpg This droid.jpg This droid.jpg

The first Android malware landmark came as recently as August 2010 with Fakeplayer, followed in late December by the first significant example that was operating in the wild on any scale, Geinimi. A growing band have followed since then perpetrating click and SMS tariff fraud culminating in yesterday’s news that Google is reportedly kicking out at least 21 rogue apps from its Marketplace.

The apps in question might have been downloaded as many as 50,000 times by users and it doesn’t appear to be that Google noticed the issue first which raises questions about its app vetting.

In only weeks, the Android threat has gone from mostly theoertical to one that is affecting real people. It's a safe prediction that things will get worse before they get better.

Security companies at last have meaningful mobile threats to talk about after years and years of the issue being little more than a joke. Conveniently, all this comes at just the moment when desktop antivirus is starting to die in the face of a growing band of basic but free apps.

The positive message is that Android is not inherently more vulnerable than any other mobile operating system but its apps are because, unlike rival platforms, they can be downloaded from locations other than Google’s Marketplace.

The solution is for security companies to develop products that go beyond the awkward models they’ve applied to desktop protection, for instance, analysing and warning users about the permissions apps are asking for as they install. Such a program could also make it easy for users to remove apps before any damage is done - apps can be remotely uninstalled, a huge difference with Windows.

And users? They can’t easily judge which apps are bogus and which aren’t but they can at least be careful about which sites they get them from. If the malware trend continues, such sites are going to need careful management in order to stay credible.

And Google? It needs to wake up from its focus on software and features and remember the lesson of Windows, the last major software platform to let itself get overrun with malevolent apps. The legacy of that particular misstep is still all around us.