China’s alternative Android Markets: lots of app choices, piracy, and security risks

Google hasn’t opened an Android Market in China, so a number of Chinese carriers, phone makers, and independent companies have opened their own versions of the Android Market there. The result is a lot of app choices for Chinese users, but there are also more security risks.

Android has a lot of potential in the Chinese market. If the marketplace for apps can come together, then China could become a land of huge opportunities for app developers. But there are a lot of problems to fix still. That’s one of the conclusions I draw from the latest data from the App Genome Project, a massive study of apps undertaken by Lookout Mobile Security.

Lookout studied two alternative Android markets for Chinese users. While these markets serve a legitimate need for localized Chinese language apps, they also hosted pirated and repackaged apps.

Some 61 percent of the apps in these stores were unique, most likely because they were converted into the Chinese language. About 11 percent of the apps available on the markets were repackaged and likely submitted by someone other than the original developer.

Kevin Mahaffey, co-founder of Lookout, said in an interview that repackaging happens when someone downloads an app from Google’s Android Market. They can then inject their own code into the app and then upload it to an alternative Android Market. Sometimes they  inject malware. Sometimes they inject their own ad code so that advertising dollars flow not to the original app maker but to the person repackaged the app.

Of the repackaged apps, a quarter request more permissions than the original app. (On Google Android phones, users are often prompted to give their permission for an app to access certain functions within the phone, such as accessing their contact lists). That’s ominous, considering malware often triggers permission requests.

Alternative app stores for Apple’s iOS (iPhone, iPad and iPod Touch) also exist. Lookout found that one of the markets existed mainly for pirates, as 85 percent of its apps were pirated. Users who “jail break” their phones, or circumvent Apple’s security software, can download pirated apps from these alternative stores. Roughly 8 percent of the paid apps in the Apple App Store, or nearly 20,000 apps, were found in pirated form on one alternative iOS market. That’s got to be depressing for app developers.

Lookout also found that about a third of the free apps in both the Apple App Store (34 percent) and the Android Market (28 percent) have the ability to access a user’s location. About 7.5 percent of free apps in the Android Market and 11 percent of free apps in the Apple App Store can access contact information.

That’s not alarming by itself, but it’s a potential red flag for privacy violations. Lookout found that there was some good news here, as the number of apps having access to location or contacts has fallen in the past six months. That may be due to more developer sophistication and a heightened awareness of privacy concerns after a big scare on the Android phones last summer.

Speaking of scares, Lookout identified a new trojan, HongTouTou, or the ADRD trojan, in popular repackaged apps targeted at Chinese-speaking users. The malware has 14 different versions so far repackaged in game and wallpaper apps.

[image credit: HTC Wildfire Android Heaven]

Calling all developers: We want to write up your app for VentureBeat’s Mobile App Spotlight! If you have an innovative mobile app that hasn’t been featured on VentureBeat yet, submit it for consideration right away. The Mobile App Spotlight is sponsored by The Intel AppUp developer program.