In a bid to make downloading Android apps safer for consumers, Google has added an automatic scanning service to Android Market to find potentially malicious apps.

It’s an important move as Google does not review apps before appear in the store unlike Apple. Because the barrier to entry is so low, that sometimes means consumers unwittingly install malware on their phones.

The program, codenamed Bouncer, scans apps after they have been uploaded to the market, meaning developers still won’t have to go through an approval process to get their apps listed.

According to a blog post from Hiroshi Lockheimer, Google’s vice president of engineering for Android, Bouncer scans both new and existing applications for known malware, spyware, trojans and for behaviors that could indicate hidden malicious behavior. Google also analyzes new developer accounts to ensure that repeat offenders are prevented from uploading malicious apps.

Google revealed that Bouncer has been scanning the Android market for some time, reporting that “between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially-malicious downloads from Android Market.”

However, while Google is reporting downloads of malicious apps are decreasing, third-party analysts have found the amount of malware in the Android market is increasing as the platform’s larger reach makes it a more enticing target for unscrupulous developers. in November, the Juniper Global Threat Center reported it had seen a 472 percent increase in Android malware samples since July 2011 and in December Lookout reported it had found more than 1000 infected apps in the Android market — double the amount it detected in six months ago.

In January, AhnLab researcher JungSin Lee pegged Android as the OS under the most threat from malware due to its lack of a proactive screening policy. While Bouncer helps to address these concerns, the Android market has still had some recent, high-profile security incidents.

In November, a number of fake apps pretending to be popular games such as Angry Birds and Tiny Wings were removed from the store after customers complained they had bought the apps and they did not work. A month later Google had to remove 22 more apps from the Android market for SMS fraud.

Fighting malware can be like running faster just to stay in the same place. If Google adds one security measure, hackers eventually find another loophole. But Google is familiar with this dynamic, as it has had to battle search spam and black hat SEO (search engine optimization) for more than a decade.

There are currently more than 400,000 apps on the Android market.

South Korean information security company AhnLab is predicting botnets and malware targeting specific geographic regions could emerge as some of the most serious mobile security threats in 2012 as unscrupulous app developers become more sophisticated.

While malware is already a growing mobile security issue, this year AhnLab is predicting that the scope of attacks will expand, moving from situations where malicious apps rack up unauthorized charges on a user’s phone bill (as was the case in the RuFraud attack in December) to situations where the aim will be to establish a botnet of infected or zombie smartphones. A botnet of zombie smartphones could be used to send spam or conduct distributed denial of service attacks, just like botnets of infected PCs.

According to JungSin Lee, a researcher at AhnLab, that the first attempts to establish a smartphone botnet have already been made. In December a code named Geinimi appeared in the third party app market in China.

“Unlike other malicious codes which operate just for profit purposes, Geinimi had ‘bot’ functions including a remote control and downloading of additional malicious codes,” explains Lee.

Although the attempt was ultimately unsuccessful, if Geinimi had been able to establish a botnet it would have been very difficult for users to tell their smartphones had become zombies and the attackers would have had access to every function on the infected phones, including call monitoring, voice capture and the ability to download, install and uninstall applications according to Lee.

AhnLab is also predicting more locally based malware this year, as attackers focus on countries with well developed smartphone using population bases such as Russia, Europe and China.

“By far, the most efficient way for attackers to distribute malicious codes is through a direct download-and-install method. However, users have tended to prefer apps with a local culture UI and language. As a result, attackers make more local focused malicious apps,” Lee says.  “Attackers investigate the local market before orchestrating the attack. In most cases, the malicious codes disguise themselves as a popular local applications such as a local game [or] adult apps.”

The company is also predicting an increase in the amount of malware transmitted through infected webpages to grow as smartphone users continue to increase the amount of websurfing they do from their phones. AhnLab is also expecting to see an upswing in malware specifically designed to attack jailbroken phones.

Lee highlighted third party app markets as the most common place to find malicious apps and pegged Android as the OS under greatest threat from malware. “Android is the most vulnerable,” he explains, “it has a mass number of users and a market policy that is not proactive in screening for malicious apps.”

AhnLab’s findings are bad news for Google, but don’t come as much surprise. Other mobile security companies such as Lookout and Juniper Networks have also called out Android for the same reasons. Lookout is predicting Android users will have a four percent chance of downloading a malicious app by accident this year and Juniper has tracked a 472 percent increase in the amount of malware found on the platform since July of 2011.

According to AhnLab, the best way for users to avoid malicious applications and malware is to use common sense approaches such as installing a mobile antivirus program and keeping it updated, checking applications before downloading them, taking caution when browsing the internet and avoiding the temptation to jailbreak a smartphone.

Earlier this year, Apple said it was deprecating the ID system that developers and mobile ad networks have relied on to target consumers with personalized experiences or ads. At the time, there wasn’t a clear substitute to Apple’s Unique Device IDs (or UDIDs), but I mentioned the Wi-Fi MAC address as a possibility.

The MAC, or Media Access Control, address is an identifier that’s assigned to networked devices (whether they’re smartphones or laptops). Most developers seem to be targeting the MAC address of the Wi-Fi interface on iOS devices. Because it’s hard for normal people to change or spoof the Wi-Fi MAC Address, this shift rekindles the very same privacy issues The Wall Street Journal raised last year. The newspaper had criticized mobile apps like Pandora for sharing UDIDs with third-party ad networks.

Compared to tracking tools on the web like cookies, UDIDs and the MAC Address might be more sensitive because they’re tied to people’s phones and can be connected with their location. Ad networks have used UDIDs to keep track of what mobile apps a user has, so they can show ads that match their interests or block ads about apps they already have. Unlike cookies on the web, the UDID can’t be cleared or erased.

Since Apple announced it would deprecate UDIDs, developers have been hunting for something else — and the MAC address has looked the most promising.

One of the companies that specializes in driving downloads for mobile developers, W3i, recently ran a test where they were able to grab more than 78,000 MAC addresses from users of their free-app-a-day service AppAllStar. They did the test to help out developers who are unsure of what to replace UDIDs with.

Apple approved W3i’s app even as the company made it very explicit that they were going to grab MAC addresses by placing the code at a high-level with very clearly named classes showing that they were collecting the data. They also found that 99.96 percent of the addresses they collected were unique. (There were a few were duplicates, but this was probably because the devices were jailbroken or hacked. Unsurprisingly, China produced the largest number of duplicate MAC addresses.)

W3i’s findings underscore what I’ve been hearing anecdotally from multiple developers and ad networks: they’re turning to the MAC address as a substitute for UDIDs. What that means, however, is that the original privacy issues that UDIDs raised haven’t been solved at all. MAC Addresses are too complicated to change for most people unless you’re into jailbreaking and hacking into your iPhone.

Basically, The Wall Street Journal’s series on privacy won them a prestigious Loeb award for business journalism. But it didn’t really fix anything (at least in terms of privacy for mobile app users). At the time the Journal’s series broke, I said that there would be one of two outcomes. Either “uninformed policymakers will draft poorly targeted legislation. It could end up being unnecessarily destructive to consumer Internet businesses.” Or I said a fix could “be so cosmetic that it doesn’t really fix underlying problems.”

We’ve ended up with the latter situation. Apple has still not produced an elegant solution that balances the needs of developers to provide their customers with relevant experiences with respect for a user’s privacy.

Apple has said that developers should create unique identifiers that work specifically with their apps. There are a couple of issues with this though. If you’re a developer with a portfolio of apps, this doesn’t help with tracking a single user across multiple apps. Also, since a user can back-up their iPhone and put that data on another device, you might end up with a single ID code assigned to more than one device.

Because of these drawbacks, developers seem to be turning to an alternative that carries many of the same privacy issues the UDID had.

Survey Finds iOS is Only Profitable for a Minority of Developers – According to a survey conducted by independent Canadian developer Streaming Colour Studios, 20% of iOS developers take home 97% of all revenue generated on the platform. This isn’t really surprising given the economics of most gaming markets. However, keep in mind that the survey probably excludes responses of the highest-grossing developers who may be venture-backed and can’t disclose sensitive information like monthly revenues. In terms of lifetime revenue, while 25% of iOS developers have seen more than $30,000 from their apps, the money is very concentrated – the top 1% of developers currently account for 30% of all revenue generated by the App store.

Microsoft’s Mango Arrives, Brings Extras – The highly anticipated OS update Windows Phone 7.5 – aka Mango, began a gradual roll-out this week. The updated included a variety of new features that were previously announced, and two that weren’t – the ability to tether internet from a WP7 device to up to five other devices and a web-based marketplace that allows users to browse apps on a computer and remotely install them on a WP7 phone.

Android Phones now Twice as Popular as iPhones, But iPhone 5 is Hotly Anticipated –
The competition between Android and iOS continues to heat up, making BlackBerry and Windows Phones look increasingly like also-rans in the smartphone market. According to a new report from Nielsen, over the last three months more than half of smartphone buyers have chosen Android, rather than iOS. The numbers broke down to 56% Android, 28% iPhone, 9% BlackBerry and 6% other (including Windows Phone 7). However, as TechCrunch notes, with a new iPhone imminent, the numbers could be inaccurate. That conclusion seems to be backed up by the results of a study conducted by InMobi that found up to 41% of mobile consumers may purchase an iPhone 5. RIM fared particularly badly in the survey; up to 52% of BlackBerry users in North America are considering switching to the iPhone 5.

Gameloft Offerings Coming to Mysterious Sony Tablets – French developer Gameloft has signed a deal to bring optimized ports of some of their most popular games to an upcoming Sony tablet line.  Asphalt 6: Adrenaline HD, N.O.V.A. 2 – Near Orbit Vanguard Alliance HD, Real Soccer 2011 HD, Spider-Man: Total Mayhem HD, and Green Farm HD will all be directly accessible on devices referred to as “Sony Tablet P” and “Sony Tablet S” by in a press release quoting Gameloft’s senior vice president of publishing, Gonzague de Vallois.

Microsoft & Samsung Reach Android Patent Detente – Microsoft and Samsung have agreed to halt legal battles over the use of Microsoft’s patents in Samsung’s Android devices. Under the terms of the new agreement, Samsung will now pay Microsoft a royalty fee for every Android phone and tablet it produces. Microsoft has also set up deals with HTC, Acer, ViewSonic, Velocity Micro and Winstron to license its portfolio of patents. Goldman Sachs Group Inc. estimates that Microsoft will earn about $444 million in licensing revenue from such deals.

[Rumor] Ice Cream Sandwich to Debut on October 11th? – Samsung has announced a press event for October 11th, and industry watchers are betting that the event will see the unveiling of Samsung’s new Nexus Prime smartphone and the next Android OS update, Ice Cream Sandwich. Video and photos of Ice Cream Sandwich have already leaked online, hinting that the update will bring interface improvements for notifications and the camera, as well as a slightly redesigned color scheme.

Halfbrick Wants 70 million More Chinese Downloads in Six Months – Fruit Ninja is already a big success for its developer Halfbrick; the game has been downloaded more than 66 million times and has been ported from iOS to Android, Windows Phone 7 and even Kinect, but the Australian developer is looking to China for continued growth. According to Halfbrick’s CEO Shainiel Deo, almost of third of Fruit Ninja’s downloads have come from Chinese users. In a speech at Beijing’s Mobitalk conference, Deo revealed that Halfbrick has formed a partnership with Chinese developer iDreamSky to develop free, localized versions of the game to combat piracy and allow Halfbrick to make money from in game ads and micro transactions.

Aquaria Coming to iPad – Indie developer Bit Blot is bringing its highly regarded game Aquaria to the iPad. The game, originally released in 2007 for PC, Aquaria is a 2-D action and adventure game set in a mysterious underwater world. The game was highly praised upon its release for its non-linear gameplay and impressive atmosphere, and won the grand prize at the Independent Games Festival in 2007.

Lara Croft is Coming to Android, But Only on the Xperia PLAY – Hit mobile game Lara Croft and the Guardian of Light is coming to Android in November, but there’s a catch – only on the Xperia PLAY. This week Sony Ericsson announced a partnership with Square Enix that will see several of the developer’s hits come to the Xperia PLAY in the coming months.

Foursquare Revamps Home Checkins to Keep Users Safer – While nobody would ever say they don’t have any concern for their own privacy, according to Foursquare, a significant portion of its users love that they have the ability to check into their own homes. To address the demand, but to improve privacy and safety, the location based service announced that as of September 29th:

• Only the person who creates a ‘home’ and their friends can see the address on the venue page.
• On a home’s venue page, only those same people can see the map pin. Everyone else will see a map randomly centered somewhere near the address, with the zoom pulled out a bit.
• The same rules apply to links shared on Facebook or Twitter.

Users can now also report locations as a home, setting them to be listed as private venues or removing them from the service all together. More details can be found on the Fourquare blog.

[Launch] Minecraft Now Available for More Android Devices – Minecraft, the mega-hit open-world exploration and crafting game from Swedish developer Mojang was released into the open Android market this week, much to the delight of the Android community.  Minecraft Pocket Edition was originally an exclusive title on Sony Ericsson’s Xperia PLAY. According to a video Mojang’s YouTube account, an iOS version of the game is also in development.

[Launch] Firebrand Branch Crawfish Games Tries Social and Mobile with Cutesy and Creepy – New studio Crawfish Games has finished setting up shop and is releasing its first two games, Cutesy and Creepy for iOS. Cutesy is available now and Creepy will be released on October 5th.  The games are targeted specifically at children 5 or older. By solving puzzles, players will be able to collect and share stickers with their friends. Crawfish games was founded as a way for parent company Firebrand Games (a UK developer who specializes in racing games for Nintendo consoles) to expand into the mobile, casual and online game marketplaces.

[Launch] Q&A Service Quora Releases iPhone App – Popular question-and-answer service Quora released a free iOS app this week for the iPhone and the iPod Touch. The new app lets users to search for nearby queries, receive push notifications, and “shuffle” questions.

[Launch] Yahoo Unveils Free Flickr App for Android – Flickr users with Android phones finally have access to an official app. The new app allows users to browse albums, take photos, share them, and apply image editing and effects and filters, a direct challenge to services like Instagram and Hipstamatic that have seen their growth from mobile applications. Unlike on iOS, where Instagram has been one of the top 10 downloaded applications in the last year, Android is open territory given that PicPlz forfeited the camera space a few months ago. According to its page on the Android Market, the free app is already doing well seeing more than 50,000 downloads since its launch. Flickr has had an official iPhone app since 2009.

At least one company is seeing the silver lining in Apple’s decision to deprecate UDIDs, or unique ID numbers that developers use to track users across apps.

OpenFeint says it’s launching a single sign-on service for social games as a replacement later this fall. The company says the project, dubbed OFUID, will become a universal account system that criss-crosses platforms. So the same person who plays a game on Android and on iOS won’t be counted twice.

Since OpenFeint already gives users individual accounts so they can compete against friends, it’s not a huge leap for the company to build an ID and single sign-on system. If developers get permission from players to see their OFUID, then they can look at user behavior across games.

There are a few caveats to consider, however. OpenFeint wasn’t authenticating access to its API earlier this year and a New Zealand-based security specialist was able to use his UDID and OpenFeint’s API to expose his location, his account name and Facebook profile picture URL, which could have been used to discover his real name. OpenFeint fixed the security hole and presumably will take privacy very seriously with OFUID. However, this is not a good track record to start from.

Apple said it would deprecate UDIDs in iOS 5 after privacy concerns about the system were widely publicized in the media. Apple is instead asking developers to create unique user identifiers that are specific to their apps. Some developers have also talked about using the MAC address, which is a unique hardware ID that’s assigned to all devices connected to the web.

The other part of what OpenFeint’s announcing is an install trade program, which is interesting because it shows the company is trying to strengthen its direct relationships with consumers. OpenFeint will guarantee developers 1.5 new installs for every new install of Game Channel, a free-app-a-day vehicle.

OpenFeint is the largest pure mobile-social gaming network on iOS and it says it has 115 million users worldwide. It was able to acquire that many players because of the way it was designed as a social layer that other game developers could quickly install to give players features like social leaderboards.

But it also means that while millions of people have registered with the service, many of these players may not interact much with OpenFeint’s services directly on a regular basis. Having a direct, consumer-facing app would create more revenue opportunities for OpenFeint, which lost $6.6 million through the 2010 fiscal year.

Katango is a simple mobile group messaging app built on technology with huge potential. The first Kleiner Perkins sFund investment, Katango’s debut is an eponymous iPhone app that lets users send email, private Facebook wall posts and in-app messages to lists of friend that it automatically that it automatically assembles. It’s this last part that’s so important.

Based on data about a user’s interconnectedness with their friends, Katango instantly and accurately builds what Facebook calls friend lists and Google+ calls Circles. When the company showed me a prototype web interface in early June, it allowed users to export these groups as Facebook friend lists.

Without the ability to send SMS to message recipients that haven’t download the app, it will be hard to compete in mobile messaging with GroupMe and Beluga. However, the algorithm that automatically create friend lists could be be a deciding factor in the battle between Facebook, Google and others for social network supremacy.

>> Read more at Inside Facebook.

Here’s what we are reading this morning:

99% of Android Users At Risk to Data Theft — Apparently 99 percent of Google Android users are vulnerable to data theft of information such as passwords, calendars, credit information, and so on. Posted by The Register, researchers at Germany’s University of Ulm, have discovered improper implementation of an authentication protocol called ClientLogin on Android versions 2.3.3 and below.  Basically, when users log in to something such as Facebook, an “authentication token” is retrieved, but can be used for up to 14 days after; exploitable by hackers.

Though this was patched in Android 2.3.4 and 3.0, 99 percent of Android phones are still vulnerable.

Mobile Companies Seek Security Software — In light of such security risks, it’s worth noting that smartphones are becoming increasingly attractive targets for hackers. As such, Reutersis reporting a digital “gold rush” for mobile security. In fact, Neil Rimer of Index Ventures believes that it will be bigger than computers and market research firm, Infonetics is stating that the mobile security software will gro 50% per year through 2014, reaching $2 billion.

LTE iPhone Delayed — According to DigiTimes, “Apple is likely to delay the launch of its LTE-enabled iPhones to 2012.” Coming from “industry sources,” the delay is due to issues involving “yield rates” of Qualcomm’s LTE chips.

iPhone 4 Tops Japanese Mobile Device List – Market research company, Gfk Japan, has published a list of the top 10 handsets in Japan in terms of units sold during the first quarter of this year. The iPhone 4 16GB and 32GB held the #1 and #2 spots respectively.

China Carriers to Get iPhone 4S in September — In more overseas iPhone-related news, China Mobile, China Telecom, and China Unicorn (all top carriers) have expressed interest in the iPhone 4S, says DigiTimes. As it stands, China Mobile is supposedly expected to reach an agreement with Apple to sell the 4S come September.

Puzzle Game for the Blind — An interesting iOS game by the name of Stem Stumper, from Ananse Productions, has released recently. Unlike normal apps, this one is made for the blind or poorly sighted users. It is a game that utilizes a dynamic soundtrack to guide a character through various puzzles.

Cut the Rope to Launch on Nintendo DS — iPhone puzzle game Cut the Rope has always been a popular game, but now GameSetWatch is listing the title as one slated to come to the Nintendo DS handheld console.

Android Tablets Get Magazine Apps — Android tablets are finally catching up to iPad in terms of magazine apps, reports Business Insider. Publishers such as Condé Nast will be releasing their magazines through Next Issue Media, but will only be available to Samsung Galaxy Tabs (seven inch) bought via Verizon Wireless.

Travel Made Easier With Viator — A company by the name of Viator is cashing in on peoples’ vacations. The company has introduced two new iOS applications on iPhone and iPad that allow users to easily research and plan vacation activities.

Facebook Comes to Any Mobile Device in India — Facebook can now potentially be accessed by any mobile device in India for a rupee a day. According to The Register, Bharti Airtel is offering a text-based level of interactivity (e.g. status updates, friend requests, and wall posts) through the USSD service.

Adknowledge & Ansca Mobile Combine Platforms — Good news for mobile game makers as ad network and monetization solutions provider Adknowledge has teamed up with game engine creator Anasca Mobile to combine their platforms. The Corona development kit is available now for Anasca users.

Push Notifications Gain Traction for Marketing — According to comScore’s“State of Retail” webinar, push notifications are becoming more lucrative. In highlighting the deals and offers sites of Groupon and LivingSocial, they found that 14% of users engaged with the mobile app version of these sites upon receiving a push notification. Email, however, is still dominant with 60% (Groupon) and 53% (LivingSocial) engaging the site/app.

[image via comScore]

Onavo Raises $3 Million — Onavo, and iOS app that reduces data consumption dramatically, has raised $3 million in a round led by Sequoia Capital and with participation from Magma Venture Partners.

Qwiki Co-Founder Leaves — iPad application Qwiki may have grown quickly, but its co-founder, Louis Monier has left the company in order to join Proximic as its chief scientist. According to TechCrunch, the reason for his departure is merely because Qwiki’s “research phase is over, [and] the basic technology is in place.”

Here’s what we were reading earlier this week:

Flipboard Blocked in China — According to TechCrunch, iPad app Flipboard, which just announced the equivalent of 10 million pageviews a day last week, has been blocked in China. The reason is the app grants access to both Facebook and Twitter (which are blocked in China) as it communicates with US servers. CEO Mike McCue notes that a small percentage of their userbase are Chinese.

eBay Launches Motors iPhone App — The folks over at eBay have launched a new iPhone app based on one of its most popular auction verticals, says TechCrunch. The application is dubbed Motors, and the free app allows users to search, bid on, or buy everything from cars, to car parts, to accessories.

Nook Hits 1 Million App Downloads — Barnes & Noble have announced that its new Nook Color has hosted north of 1 million app downloads. Its App Store was launched April 24th.

Seagate Launches Wireless iPhone Storage — Data storage company Seagate has launched a new product called GoFlex today, reports VentureBeat. Made specifically for iDevices, it marks the first of its kind and can store up to 500GB of information and can even be expanded via 802.11 b/g/n wireless networking.

Live Action Angry Birds in Spain — Hasta los Juegos, has reported quite the promotion for Angry Birds in Spain. Held in the city of Terrassa, Deutsche Telekom and Rovio Mobile set up a massive live action set to play a game of Angry Birds. A video can be found here.

Nokia Renames Ovi — In a small piece of news, Nokia has announced that it will be changing their Ovi service brand to the ‘Nokia’ master brand in order “to better support future plans to deliver disruptive and compelling mobile experiences globally.” The new brand will be introduced in July.

New iPhone Coming in September — Though there is nothing ‘officially’ stated, several sites are not only reporting (based on notes from Jefferies & Co analyst Peter Misek) that a new iPhone will be coming in September, but that it won’t actually be an “iPhone 5.” Based on “inside sources” and “industry insiders,” it is being called the “Apple iPhone 4S,” which will host features such as an improved camera, an A5 dual-core processor, and HSPA+ support. Additionally, it was noted that Sprint, T-Mobile, and China Mobile would be added as iPhone carriers.

T-Mobile Not Getting Samsung Galaxy S II — According to Business Insider, while Samsung’s Galaxy S II might be the next big Android Launch, T-Mobile customers have been left out in the cold; based on “leaked” news. The phone will be dubbed Attain, Within, and Function on AT&T, Sprint, and Verizon respectively.

Billing Revolution Raises $6.6 Million — In fiscal news, mobile payments startup Billing Revolution has raised a total of $6.6 million in Series B funding. The round was led by DCM and SK TelecomVentures with the money going to the hiring of new staff.

Microsoft to Purchase Nokia Mobile Division (Rumor) — In a post from Slash Gear (via Murtazin), “leaked” information is noting that Microsoft and Nokia will be discussing the purchasing of the latter’s mobile division later this month.

Facebook has begun allowing developers to ask users for their mobile phone number and home addresses in a move that could show the best and worst of the Facebook Platform. Most critics have immediately focused on how greedy developers will request the data in order to spam users, which is a valid concern. But the access will also enable the creation of apps that keep friends connected via SMS and facilitate ecommerce by pre-populating delivery details.

Though the risks are high, Facebook should not impede innovation for fear of spammers, but instead push forward while minimizing negative outcomes by helping users make more informed decision.

Reduce Risk through Clarity

The biggest problem with access to contact information is that the permission requests for these highly sensitive data fields are not distinguished from requests for more benign data like a user’s Event RSVPs or privileges like publishing to their stream. Some apps ask for a stack of a half dozen permissions, so users have learned to blindly click “Allow” to speed through to the desired application rather than read them all, assuming they aren’t giving away anything too valuable, or can revoke access later.

> Continue reading on Inside Facebook.