×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Malicious Apps Found On Google Play

Soulskill posted about 2 years ago | from the if-you-built-it-they-will-come dept.

Android 143

suraj.sun writes "We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

143 comments

Except (4, Insightful)

Anonymous Coward | about 2 years ago | (#39687715)

>complaints about malware aren't one of them
So the ones that raid your contacts and send the information to persons unknown are fine?

Re:Except (3, Insightful)

devleopard (317515) | about 2 years ago | (#39687787)

I've never seen or installed such an app on my iOS devices. I'm sure if I spent some time searching the Slashdot archives, there'd be at least one article; I'm sure the apps do exist. (And are no longer on the app store today). However, these articles about Android malware are weekly, or more often. Google needs to shut it all down, and then relaunch Play where all apps are properly vetted.

Would that destroy the "freedom" concept? Maybe, but such an idea just doesn't work. Would you run any random Windows app on a Windows machine without an antivirus? Android has a massive smartphone share, and it's thusly going to be targeted. Imagine a 1997 where 40% or more all computers sold came with Mac OS or Redhat. Do you think that today we'd know those platform as untargeted by malware? Of course not. Either Google needs to lock things down, or we'll start seeing Norton or McAfee on the phones within the year.

Re:Except (-1)

Anonymous Coward | about 2 years ago | (#39687897)

Aside from the fact that various anti-malware, anti-theft and privacy apps exist already... this has nothing to do with Android.

But let's not forget, now that iOS/OSX has enough of a market share to make them a financially worthwhile target... ;)

Re:Except (-1)

Anonymous Coward | about 2 years ago | (#39688449)

Nigger please. Any iOS app can access your address book information without your permission. Any iOS app can open a TCP connection without your permission (unless you're in airplane mode, of course).

Re:Except (3, Informative)

Cute Fuzzy Bunny (2234232) | about 2 years ago | (#39687873)

Yep, that was the funny part of the article. "Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

But one of them would be that the assertion is ridiculously incorrect.

Even weak google-fu turns up this, among many...
http://nakedsecurity.sophos.com/2011/11/08/apple%E2%80%99s-app-store-security-compromised/ [sophos.com]

Why do apple people think their products and services are malware proof, even though anyone with a self respecting brain capacity would know its not true in theory or in practice? Is that why they pay twice as much for stuff?

Re:Except (0)

Anonymous Coward | about 2 years ago | (#39688061)

Speaking of ridiculously incorrect assertions...

Re:Except (2, Insightful)

Anonymous Coward | about 2 years ago | (#39688141)

I think that anyone with self respecting brain capacity would realize that picking the small handful of issues Apple has had with their vetting model cannot be compared to the thousands of apps that compromise Google's model.

Re:Except (4, Insightful)

BasilBrush (643681) | about 2 years ago | (#39688307)

You finding an example of malware doesn't disprove the assertion that people are complaining about malware on the iOS App Store. Just as finding one criminal in the country's safest town wouldn't mean people are complaining about crime there.

iOS App Store has a minuscule amount of malware compared to it's size. There's orders of magnitude more malware on the Android stores.

Re:Except (1, Insightful)

Cute Fuzzy Bunny (2234232) | about 2 years ago | (#39688717)

I too enjoy the random use of immediately made up statistics laid out in terms like 'miniscule' and 'orders of magnitude'. Most of the apps I've downloaded from the app store and from play/market reported all sorts of things they didnt need to know about or report back to some mothership who-knows-where. I've never loaded a malicious app that caused me harm or did something that required repair...from either.

Yet there are plenty of stories about malware and the ability to enact it on both platforms, in all kinds. To say otherwise is simply laying on the blinders because otherwise you'll wonder why you paid so much.

Re:Except (2)

Electricity Likes Me (1098643) | about 2 years ago | (#39690581)

In fact I'd go with the idea that many iOS apps are just more intelligent parasites then the well-known examples of Android malware. If you sit around all day spamming premium SMS, you kill your hosts pretty quickly.

iOS can give away all your private information happily, and no one's the wiser. The app store review process is basically encouraging this kind of intelligent evolution.

Re:Except (0)

Anonymous Coward | about 2 years ago | (#39688773)

Aww... guy seems to be having a hissy-fit that Apple's app store has literally no issues with Malware. Sure, there may be the (rare) occasional blip that comes up mainly from a security research firm but one cannot in even the remote sense compare whatever issues Apple's app store to the wild-west mentality and cess pool policies that Android's "open" model has.

The problem is that the only people that can really keep their Android devices malware/virus free are not representative of the majority of smartphone users. Yet these tech-saavy individuals have the audacity to criticize Apple and their "walled garden" approach as draconian knowing full well that their own solution is essentially garbage. The majority of smartphone users DO NOT want to babysit their devices like their desktop counterparts. They just want them to work. Android enthusiasts are just being ignorant to the problem at hand.

But hey, keep preaching that "open & free" mentality. Look how good it's working for ya.

Re:Except (1)

bhagwad (1426855) | about 2 years ago | (#39689903)

...compare whatever issues Apple's app store to the wild-west mentality and cess pool policies that Android's "open" model has.

It's not as if being the "wild west" is something new. Regular operating systems like Windows have been a "wild west" for decades and I hope they will continue to be that way. Android is even MORE controlled than Windows since there's no single windows marketplace. The wild west is a good thing. It democratizes the ecosystem and does immense good for the computing world in general.

Re:Except (1)

Grishnakh (216268) | about 2 years ago | (#39690899)

Android is even MORE controlled than Windows since there's no single windows marketplace.

Not exactly: there's more than one Android marketplace. For one thing, I'm on T-mobile, and they have their own little app store (which I admit I've never even bothered looking at). Secondly, it's not hard to install other apps from other sources than the Google Play store. Of course, if you do such a thing, obviously you're taking an additional risk, but the option is always there. Unlike Apple, they don't make it extremely hard (or require someone to hack the phone, a la "jailbreaking") to do things the makers never intended or don't approve of.

The wild west is a good thing. It democratizes the ecosystem and does immense good for the computing world in general.

Agreed. It's more risky, but as they say, freedom isn't free. You want Big Brother watching over you all the time and telling you what you can and can't do with your phone, go spend 2-4x as much and buy an iPhone. You want freedom, get an Android phone, and exercise some basic caution (like not downloading some POS app that has no reviews).

One of the things I like about my Android phone is that I can change just about anything. Don't like the dialer and contact manager? No problem, just download one of the many alternatives. Try that with an iPhone. iPhone lovers are like the people who buy a car and never customize anything on it, and worse even leave the airbag warning labels stuck to the dashboard (the ones you're supposed to peel off when you buy it) and leave the dealer's advertising stuck all over it.

Re:Except (5, Insightful)

PNutts (199112) | about 2 years ago | (#39688029)

>complaints about malware aren't one of them
So the ones that raid your contacts and send the information to persons unknown are fine?

No, but who could have imaged the apps below would harvest your contacts! It's almost like they were built specifically to share information.

Foursquare
Path
Instagram
Facebook
Twitter for iOS
Voxer

Re:Except (0)

Anonymous Coward | about 2 years ago | (#39689833)

instagram is now owned by facebook

Bad robot (0)

Anonymous Coward | about 2 years ago | (#39690849)

"It's almost like they were built specifically to share information"

I see, so you think that because they're built to share SOME information with SOME people when under MY permission, that this is some sort of blanket right to grab all my contact details and upload them to their servers to use as they will?

There are two parties involved in a conversation, and they don't even really have 1 of those peoples permission to grab that contact detail. Just because I consented to Bob having my private telephone number, doesn't mean I granted Mark Zuckerberg the right to that data and Bob cannot give permission on my behalf and didn't anyway.

Re:Bad robot (1)

Grishnakh (216268) | about 2 years ago | (#39690903)

If you use Facebook on your phone, you should be happy for Mark Zuckerberg to have access to all your private phone numbers and other data. You'd have to be blind to not know by now that Facebook doesn't care one whit about your privacy, so by using their app on your phone you should expect they would grab all the data they can.

Re:Except (4, Informative)

BasilBrush (643681) | about 2 years ago | (#39688361)

So the ones that raid your contacts and send the information to persons unknown are fine?

Clearly not. But they are many times less bad than the Android one described that is costing you serious money by sending premium-rate SMSs.

But Google is OPEN!!!!! You heard me??? (-1)

Anonymous Coward | about 2 years ago | (#39687737)

Nothing goes above OPEN! As open as it gets to get all of your data and make some money off it.

It drives me crazy (4, Insightful)

Reed Solomon (897367) | about 2 years ago | (#39687761)

Why can't they offer a vetting process for apps? Not everything needs the "Google seal of approval", but having a google verified or trusted apps icon appear on an app might alleviate some of the problems, or at least the perception of the google market store (I can't call it google play store, it's just stupid) being a haven for malware and cheap ripoffs.

In fact, this could be a policy that a third party app store could institute. It would be interesting to see it happen, as they could potentially become more popular than Google's own store.

Re:It drives me crazy (2, Informative)

Anonymous Coward | about 2 years ago | (#39687817)

There is a "super developer" tag for some developers (adobe, rovio, others), plus there is the "suggested by the team" category, so what you suggest already exists in some form.

Re:It drives me crazy (1)

Shavano (2541114) | about 2 years ago | (#39687935)

But does their suggestion imply anything other than they were paid for the endorsement? Are they liable under Google's ToS for any damages if the app turns out to be nothing but a fraud scheme?

Re:It drives me crazy (2)

cynyr (703126) | about 2 years ago | (#39689325)

Is apple? do they refund the purchase price if they remove an app?

I do generally agree with the GGP, and would like to see something implemented as an optional thing. $5 to have your app vetted and get a little sticker next to it for every update you make.

Re:It drives me crazy (-1)

davester666 (731373) | about 2 years ago | (#39687831)

Because EVERYBODY makes money off these apps, except the end-user.

Google makes money off ads in the apps and the sale of the app itself
The Carriers make money off the calls/SMS's these apps make/send
App Maker makes money off the calls/SMS's these apps make/send and sales of the app itself

Re:It drives me crazy (2, Insightful)

Anonymous Coward | about 2 years ago | (#39687867)

Oh bull. Google isn't letting malware into their store so a few more handsets will show ads.

Shit just slips through.

Re:It drives me crazy (-1)

Anonymous Coward | about 2 years ago | (#39688299)

"Shit just slips through."

Yeah, and that is called Fuckle Assdroid, or as you Fuckle loving fucktards call Google Android. Look at the track record of Apple compared to Fuckle, Apple always comes out ahead with iOS as it is far more secure than your fuckle piece of shit.

Re:It drives me crazy (1)

Anonymous Coward | about 2 years ago | (#39688393)

Sir, what kind of sad fuck existence do you lead? "Fuckle Assdroid"? At least put some effort into it.

Re:It drives me crazy (-1)

Anonymous Coward | about 2 years ago | (#39689019)

If a 6 figure income, a hot wife that knows how to cook, and enjoying the finer things in life to you means a "sad fuck existance" then you lead an even sadder fuck existance as you can only screw inflatable dolls because your mom told me you were so fugly when you were born she considered killing you. Fuck, your mom also told me that you are so fugly now a prostitute will not even fuck you no matter how much she is fucking paid. But she had to keep you since murdering stupid fucktarded dipshits like you is, unfortunately, illegal.

BTW, I put more effort into "Fuckle Assdroid" than you have put into your entire miserable existance fucktard.

Re:It drives me crazy (0, Funny)

Anonymous Coward | about 2 years ago | (#39689107)

If a 6 figure income, a hot wife that knows how to cook, and enjoying the finer things in life to you means a "sad fuck existance" then you lead an even sadder fuck existance as you can only screw inflatable dolls because your mom told me you were so fugly when you were born she considered killing you. Fuck, your mom also told me that you are so fugly now a prostitute will not even fuck you no matter how much she is fucking paid. But she had to keep you since murdering stupid fucktarded dipshits like you is, unfortunately, illegal.

BTW, I put more effort into "Fuckle Assdroid" than you have put into your entire miserable existance fucktard.

Wow! Your complete overreaction tells me you're lying through the holes in your teeth.

Re:It drives me crazy (0)

Anonymous Coward | about 2 years ago | (#39691097)

That's a real nice dream there kid. Keep sucking those dicks in the truck stop toilets and you might earn enough to open your own shoe shine stand one day!

Re:It drives me crazy (0)

Anonymous Coward | about 2 years ago | (#39688417)

That's a really clever renaming!

Re:It drives me crazy (1)

BasilBrush (643681) | about 2 years ago | (#39688625)

No they're letting malware into their store because "it's open!"

Re:It drives me crazy (0)

Anonymous Coward | about 2 years ago | (#39688923)

Please stop replying to posts that you don't even know are there. It's confusing.

Re:It drives me crazy (4, Interesting)

alostpacket (1972110) | about 2 years ago | (#39687921)

AFAIK, contrary to popular belief Google does not make much off of app sales. That money goes to the user's carrier. Rumor has it this was a back-room deal in the early days of Android to prevent carrier app stores (which were terrible back in the BREW days).

That doesn't sound feasible. (1)

phorm (591458) | about 2 years ago | (#39690127)

a) They'd have to have such a deal with all carriers for it to be feasbile
b) Not everybody *HAS* a carrier (think: tablets/wifi)
c) Who cares if the carriers have app stores?

I think that perhaps instead of carrier, you meant manufacturer? Even in that case you've already got the "amazon app store" etc though...

Re:It drives me crazy (1)

Anonymous Coward | about 2 years ago | (#39687975)

The idea is pretty simple. Because its an open platform, anyone can start their own app store and each one has different levels of vetting. Sounds like you prefer the Amazon model. It's fairly easy to install the Amazon Appstore if that's what you want.

Re:It drives me crazy (3, Insightful)

Microlith (54737) | about 2 years ago | (#39688031)

That's meaningless for the problem at hand, which is that Google's own store is being used as a vector for malware. Google pressing a bit harder on app developers to prevent their store being a hazardous place would have no impact on the openness of the platform.

Happening on App Store too (5, Insightful)

chrb (1083577) | about 2 years ago | (#39687813)

"some of App Store's shiniest celebrities are among those that beam away your contact list in order to make hooking up with other friends who use the app smoother. " http://m.gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it [gizmodo.com]

Re:Happening on App Store too (0)

Anonymous Coward | about 2 years ago | (#39687919)

It is more than a bit of stretch to make this some sort of equivalency.

Re:Happening on App Store too (5, Informative)

chrb (1083577) | about 2 years ago | (#39688019)

It's the same problem. From ArsTechnica:

"Google has removed at least 15 Android apps from its official Play market after receiving outside reports they were malicious trojans that siphoned names, telephone numbers of email addresses of every person in the phone's contact list.

..In the background and without warning, they also obtained the phone number and a unique identifier of the infected device and sent the information in clear text to a remote server under the control of the software developers. "

Which is exactly what some iOS apps are also doing. This is not an Android specific problem.

Re:Happening on App Store too (1)

BasilBrush (643681) | about 2 years ago | (#39688541)

"We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS."
It's in the fucking summary.

It doesn't happen to iPhones.

Re:Happening on App Store too (1)

chrb (1083577) | about 2 years ago | (#39689493)

It's in the fucking summary.

The text you quote is in the summary, but it has absolutely nothing to do with the article, which is about apps uploading contacts to remote servers.

It doesn't happen to iPhones.

Yes it does - there are iPhone apps which upload the contacts to a remote server.

Re:Happening on App Store too (1)

BasilBrush (643681) | about 2 years ago | (#39689917)

There has been no iPhone malware that sends maliciously premium-rate SMSs. There has been Android malware that does that.

And Apple addressed it (3, Insightful)

daveschroeder (516195) | about 2 years ago | (#39688015)

Apple: App Access to Contact Data Will Require Explicit User Permission [allthingsd.com]

I guess you forgot that part.

And the part about how these apps weren't "malware", irrespective of whether they were doing something previously allowable without explicit user permission.

So it's not at all accurate to say that it's "happening on the App Store too".

Re:And Apple addressed it (4, Informative)

chrb (1083577) | about 2 years ago | (#39688087)

And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

Re:And Apple addressed it (1)

BasilBrush (643681) | about 2 years ago | (#39688519)

And how is that solution different from Android?

On the one hand you've got iPhone Apps sending contact details - previously without user permission - now with user permission. Although in either case not with malicious intent.

On the other hand you've got Android apps sending premium rate phone numbers without the users permission.

And you\re having trouble differentiating?

Or were you just trying to ignore the type of malicious app mentioned in the summary, because it's bad news for Android?

Re:And Apple addressed it (1)

chrb (1083577) | about 2 years ago | (#39689519)

On the one hand you've got iPhone Apps sending contact details - previously without user permission - now with user permission. Although in either case not with malicious intent.

And how would you know that it is without malicious intent? There are many, possibly hundreds, of iPhone apps that grab the contacts, how do you know what happens to those contact details once they are uploaded?

On the other hand you've got Android apps sending premium rate phone numbers without the users permission.

That is not what the article is about.

Or were you just trying to ignore the type of malicious app mentioned in the summary, because it's bad news for Android?

I was responding to the article, not the summary. The summary has nothing to do with the article. The article is claiming that users contact details can be grabbed by Android apps. The same is true of iphone apps.

Re:And Apple addressed it (1)

BasilBrush (643681) | about 2 years ago | (#39689929)

That is not what the article is about.

It's in the summary. More importantly it's in Android phones. But you want to ignore it because it's not convenient for your favoured platform.

Re:And Apple addressed it (5, Interesting)

93 Escort Wagon (326346) | about 2 years ago | (#39688691)

And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

Either you've never looked into this, or you're dissembling. I have an Android phone; and at the time an app is installed Android provides a somewhat generic list of all the things the app will have access to - there are usually a half dozen or so items on that list, and it would be very easy to overlook contact Info since it's somewhat buried among the generic stuff like phone state, network access, and so on.

With iOS, when an app tries to access Contacts - you get a pop-up at that time telling you that and asking if it should be allowed. It's a dramatic improvement over what it used to be, and over what Android currently does.

Re:And Apple addressed it (1)

AmberBlackCat (829689) | about 2 years ago | (#39689539)

I would LOOOOOOVE to be able to install Android apps and then click no on that popup after the fact. Because adding unnecessary permissions is a favorite activity of Android developers. Phone owners should be able to change any permissions on an individual basis at any time without rooting the phone.

Re:And Apple addressed it (3, Interesting)

Electricity Likes Me (1098643) | about 2 years ago | (#39690607)

This, so much this.

Telling me something wants a bunch of vague permissions is about as useless as the iPhone "This app may read private data" message, since pretty much everything wants to do that.

What I want is to be able to see exactly what it's planning to do. If an eBook reader app wants SD cart access, maybe I want to only give it access to the "Books" directory on the card, since it has no reason to look anywhere else. If something wants full web access...well I'd like to prevent that, and then see if the app has any actual problems. Or I'd like to be notified about the hostname's being contacted and whitelist/blacklist them selectively.

Of course, these aren't Android or even smartphone specific problems IMO - it's a problem with providing user security on every single platform in existence. No one's made it suitably simple to tell what an app is doing, or wants to do, and allow or deny that with reasonable, but not owerpowering, fidelity.

Re:And Apple addressed it (0)

Anonymous Coward | about 2 years ago | (#39690749)

I agree, and Google's aware of the fact that many users would love this option. I've seen a petition floating around somewhere. But think about it for a few seconds - all you have to do is block an application from creating network sockets and then it can't download any ads. Why would (profit-seeking) developers write an app if you could disable ads that easily.

Although it doesn't make a difference in the end - for those apps that request network access when they have no business doing so, you can just turn on airplane mode.

Re:And Apple addressed it (1)

chrb (1083577) | about 2 years ago | (#39689577)

So Android prompts for permissions at install time, and iOS prompts for permissions at runtime. That is not a major difference: it is exactly the same system of explicitly asking the user for permissions, it just happens at a different time. The majority of users are just going to click "ok" anyway. To claim that the iPhone is somehow protected while Android is vulnerable is really stretching.

Re:And Apple addressed it (0)

Anonymous Coward | about 2 years ago | (#39689887)

Upon entering a public space, someone requires you to agree to assume the risk that violence may occur.

Yes or no?

Someone walks up to you and asks if they may punch you in the face.

Yes or no?

Re:And Apple addressed it (1)

thegarbz (1787294) | about 2 years ago | (#39691095)

there are usually a half dozen or so items on that list, and it would be very easy to overlook contact Info since it's somewhat buried among the generic stuff

And there's the crux of it right there. People are prepared to read only the first line of any warning they are getting. But OH MY GOD SIX LINES? My privacy and data aren't worth the 6 seconds it takes to read these!!!

The reality is that most apps will actually require fairly few permissions, so if I'm downloading a game for instance my alarm bells instantly go off when I see more than 2-3 permissions being requested to begin with.

Re:Happening on App Store too (3, Informative)

gstrickler (920733) | about 2 years ago | (#39688491)

5 of those 6 apps listed give you a warning and/or choice before they touch your contacts. Path is the only one that does it without your consent.

I only have one of those 6 installed (FB), and I did not give it permission to access and synchronize my contacts, and I never will.

As others pointed out, comparing that to malware is more than a stretch. You could make a case for Path qualifying because it did so without notification or consent. At most, that's one app that qualifies. Even if you do count it as malware, comparing it to malware that sends SMS messages that cost you money is absurd.

If you want to point out malware on iOS, you should point to the 2-3 actual cases of malware that have been found in the App Store over the years, not 5 applications that notify you they're going to access your contacts.

Re:Happening on App Store too (1)

chrb (1083577) | about 2 years ago | (#39689659)

5 of those 6 apps listed give you a warning and/or choice before they touch your contacts.

They only tested 12 popular iPhone apps. Out of the 12 apps tested, 6 uploaded your contact details to a remote server, 1 without any warning. There are 585 thousand apps in the App Store. If you just extrapolate that data, then you can estimate that 48750 apps are grabbing users contacts without consent, and 292500 apps are grabbing contacts with a warning.

That would just be a very rough estimate, but the problem is obviously not limited to the popular apps that one security researcher happened to analyse, and which happened to transmit the contacts in plaintext across the network. (As he points out, if the app encrypts the contacts data, he wouldn't see it)

Re:Happening on App Store too (1)

gstrickler (920733) | about 2 years ago | (#39689811)

And 2/3 of the people in my office are orthodox Jews. If you just extrapolate that, there are 200M Orthodox Jews in the USA.

In other words, the sample size is too small and too selective to be of any use and your comment is complete nonsense.

Re:Happening on App Store too (1)

X.25 (255792) | about 2 years ago | (#39691139)

5 of those 6 apps listed give you a warning and/or choice before they touch your contacts. Path is the only one that does it without your consent.

Android asks you for permission when you're installing the application.

Is it Android's fault that users are stupid and give permission, then yell "MALWARE!!!"?

disenchanted (0)

Anonymous Coward | about 2 years ago | (#39687823)

so, I bought an android and its nice and whatever, then i go to download a random free game or app from the google whatever place..

it tells me it will know my location to play a free non multiplayer game? my other stored contacts information? wth?

Permissions (3)

pd0x (2618075) | about 2 years ago | (#39687829)

I think it's worth noting that the new malicious applications found by McAfee researchers were video trailer applications that overtly requested the READ_PHONE_STATE and READ_CONTACTS permissions at install time.

While it's clear that users have limited comprehension of the permissions requested at install time (for instance see: Android Permissions: User Attention, Comprehension, and Behavior [berkeley.edu]) it is rather suspicious that a trailer application require access to your contact list. From the sounds of it the malware doesn't do much other than siphon off your contact list & some identifying information (Android ID & phone number).

Should it be removed from the Android market? Yes. Is it the best example of subversive Android applications? Probably not.

Re:Permissions (1)

chrb (1083577) | about 2 years ago | (#39687901)

The question is, should apps be allowed to upload your contact data? Both Android and ios apps allow this, and some of the most popular apps do it. [gizmodo.com]

Re:Permissions (3, Interesting)

pd0x (2618075) | about 2 years ago | (#39688109)

It seems that a good number of apps do this to "find friends" using the app. It would certainly be much better if upon app installation your associated account e-mail was hashed using SHA256 (or some alternative hashing algorithm) and stored by the service. Rather than upload a users entire contact list the apps could then submit hashes of contact e-mail addresses looking for matches without being able to identify users not using the service in question.

Re:Permissions (4, Informative)

alostpacket (1972110) | about 2 years ago | (#39687963)

You don't need a permission to read the Android Device ID, however READ_PHONE_STATE gives them access to the ESN, MEID, IMEI, IMSI etc...

The other worrisome problems with that permission are that:

1) It is granted by default for any apps targeting 1.5 or below, and the user is not warned about it.

2) It also allows some access to see incoming and outgoing numbers when a call is taking place.

Re:Permissions (2)

pd0x (2618075) | about 2 years ago | (#39688073)

You are 100% right about the Android Device ID but is less of a privacy concern than the ESN, IMEI, etc that is protected by READ_PHONE_STATE. It is randomly generated, and can change with factory reset or by means of root access. The use of the Android Device ID for the purpose of tracking app installations is clearly supported behavior [blogspot.ca] with the caveats I mention outlined.

Worry #1 is probably not that devastating a concern. The Google platform distribution [android.com] shows only 0.3% of users are running 1.5 or below at this point. It is my experience that few apps support Cupcake and below.

Re:Permissions (2)

nabsltd (1313397) | about 2 years ago | (#39688115)

it is rather suspicious that a trailer application require access to your contact list.

When every app with a "social networking" component requires access to the contacts list, it's not really that suspicious.

If you didn't install any app that required access to your contacts, you pretty much won't install any games, multimedia manipulation apps, etc. The only real thing this malware did to get easily caught was to not supply some sort of lame "recommend" feature. Once an app needs access to your contacts and the Internet, it's basically malware waiting to happen.

Re:Permissions (1)

pd0x (2618075) | about 2 years ago | (#39688145)

That's a fair perspective. I suspect my app installation habits differ from most users.

Re:Permissions (0)

Anonymous Coward | about 2 years ago | (#39688575)

Well, if you are into the whole social network hype, you kind of deserve to get tracked and ripped off. You basically asked for it yourself.

"Hey every bad guy out there, here, have all information you want about me!"

Blah blah blah... (1)

Petersko (564140) | about 2 years ago | (#39688815)

"Well, if you are into the whole social network hype, you kind of deserve to get tracked and ripped off. You basically asked for it yourself."

And if you got a telephone, you deserve to be called by telemarketers and scam artists. And if you got a car you deserve to be carjacked. And if you have electricy you deserve to be electrocuted.

You basically asked for it yourself. Those are all possible consequences of choosing those products.

Stay in your luddite cave and disconnect. Toodles.

Re:Permissions (1)

cynyr (703126) | about 2 years ago | (#39689379)

Yes it is, lots of my apps do not have access to the internet, and some only over wifi. I'm also using ad-away and droid wall along with CM7's permission blocking. There are still i'm sure a few things that get by, I see a handful of ads on "words for friends" for example.

Re:Permissions (3, Insightful)

Electricity Likes Me (1098643) | about 2 years ago | (#39690619)

Actually the real problem is you can't hit "no" and continue with the installation.

Knowing what an app wants to do is one thing, but it doesn't tell me whether it's actually malicious. Getting an intelligent list of what it tried to do would help. Being able to tell my tablet to disallow or just lie about certain things would help more though - i.e. prevent access to contacts data, or, better, pretend I don't have any contacts data.

Freedom (0)

Anonymous Coward | about 2 years ago | (#39687857)

Enjoy that freedom, y'all.

Re:Freedom (0)

Anonymous Coward | about 2 years ago | (#39688153)

We will. Enjoy your locked down, one-trick pocket appliance.

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
--Benjamin Franklin

When did the trolls start posting articles? (1)

Anonymous Coward | about 2 years ago | (#39687859)

Not only have there been numerous problems with malware on iOS, a recent study (too lazy to search for it) randomly selected a bunch of apple-vetted apps and apps from a jailbreak-only iPhone app store, and found that a larger percentage of apple app store apps are malware than ones from the third-party unvetted store...

Re:When did the trolls start posting articles? (1)

PNutts (199112) | about 2 years ago | (#39687951)

Not only have there been numerous problems with malware on iOS, a recent study (too lazy to search for it) randomly selected a bunch of apple-vetted apps and apps from a jailbreak-only iPhone app store, and found that a larger percentage of apple app store apps are malware than ones from the third-party unvetted store...

Seems legit.

Re:When did the trolls start posting articles? (4, Funny)

BasilBrush (643681) | about 2 years ago | (#39688607)

I've seen a recent study (too lazy to search for it) that says that the Queen of England is a Lizard.

Re:When did the trolls start posting articles? (1)

thetoadwarrior (1268702) | about 2 years ago | (#39689195)

Yeah and I can't understand why people get all upset over Hitler. After all Stalin killed people too!

The article has nothing to do with Android??? (-1)

Anonymous Coward | about 2 years ago | (#39687869)

Google Play encompasses all of their market services...

Chrome Web Store != Android Market

Failure of the "moron in a hurry" litmus test... These researchers found extensions for Chrome, NOT Android.

FWIW, if you installed the extensions, you could compromise any of the platforms Chrome supports... Including Apple's, oh rabid fanbois!

Google and Market Choice? Perhaps. (1)

sunfly (1248694) | about 2 years ago | (#39687871)

One argument is that this is simply a market choice, A) a free and open market that is easy to upload malware, or B) a closed market that is difficult to upload malware.

Perhaps, but I believe you can have both. If a third party was able to find this malware in the market, why can't Google? Google simply needs to make this a priority, and do a better job. Scanning and making sense of the data really is their core strength.

Re:Google and Market Choice? Perhaps. (1)

nurb432 (527695) | about 2 years ago | (#39688059)

I tend to agree, not at least doing automated scanning is irresponsible. At least make an attempt..

I would also hope there is some prosecuting involved when these apps are found and removed.Otherwise, they will just try again.

Halting Problem (1)

tepples (727027) | about 2 years ago | (#39690267)

not at least doing automated scanning is irresponsible

How would you solve the Halting Problem to make automated scanning feasible?

Re:Google and Market Choice? Perhaps. (1)

thetoadwarrior (1268702) | about 2 years ago | (#39689211)

Same reason their customer support is shit and your only point of contact really is a dumb messaging board service. Google, imo, isn't that bothered about looking after people.

NO MORE WITH THE HAND HOLDING (0)

Anonymous Coward | about 2 years ago | (#39688049)

You are responsible for what you install, and the consequences thereof. Enough with pushing responsibility to another party. If you install something you better vet the code.

The attitude of the USA has become the prime example of a irresponsible nation, denouncing personal responsibility and pointing fingers.... No small wonder we're a failing country

Re:NO MORE WITH THE HAND HOLDING (0)

Anonymous Coward | about 2 years ago | (#39688139)

You are responsible for what you install, and the consequences thereof. Enough with pushing responsibility to another party. If you install something you better vet the code.

The attitude of the USA has become the prime example of a irresponsible nation, denouncing personal responsibility and pointing fingers.... No small wonder we're a failing country

Which country vets the code on their smartphone apps? And I assume you "vet the code" of the OS(s) and apps you use? And remember "vet" means a thorough examination and critical appraisal. It is enviable that you know all the exploits and which apps take advantage of them. Please share.

Security researcher lol (0)

Anonymous Coward | about 2 years ago | (#39688117)

I made a "proof of concept" key that lets intruders into Carlos castillos house I suggest all members of his household buy my "security services"

my favorite is when they steal ALL my info and... (0)

Anonymous Coward | about 2 years ago | (#39688213)

My favorite android scam is when they create fake reviews and when you open the app you automatically run scripts to like ans subscribe to things on facebook and other social networks, and of course they love to use your email app to send things out. It's amazing how all of it works but also a pain in the rear-end to find out which app is doing all of this. Unlike a PC, tablets or smart phones are ridiculously hard to administer any solution. Antivirus apps never seem to work for me on those things. I agree with the whole authentication thing but what would work even better is if google's lawyers would go out and charge every developer that maliciously fked up people's devices on purpose.

And yet... (0)

Anonymous Coward | about 2 years ago | (#39688231)

And yet slashdotters like to make fun of WP7 even though by most all accounts it is a very good OS. Looks like the shoes is on the other foot nowadays.

Surely people on this site will now make fun of Android like they make fun of Windows, right? I mean, they wouldn't be openly hypocritical, right?

Google gathering ripoff-artists (3, Insightful)

Jens Egon (947467) | about 2 years ago | (#39688303)

Yes, there's a significant problem here.

The problem is that Google does NOT like free apps. Google make their money from advertizing, and on Google Play they're actively hiding whether are apps paid for by advertizing. This means that FOSS is having a hard time there. And cheap rip-offs of various kinds are having a field day. Once a thriving community of rip-off artists have been gathered bad things(tm) happen (even more).

By the way. Congratulations, the professional anti-Google scaremongers found a semi-reasonable point to criticize. Well done.

And just enough off-center from the real problems not to bother your Corporate Overlords, nice.

Thanks, George W. and US' morons! (0)

Anonymous Coward | about 2 years ago | (#39688461)

The obvious thing to do when you cannot protect people is help them defend themselves (martial arts, gun wielding, etc.)

The safe choice would be recommend to users not to use real names, to protect themselves from evildoers. But no, they had to enforce he requirement for people to use real names (because there could be a terrorist among us).

Now, maybe I'm dumb -- but even I know a terrorist would lie about his name -- while normal non-aggressive dudes think they can be honest and say the truth, because they haven't anything to hide.

So, the policy is give criminals a huge database of names (and locations!) to fetch potential victims or aliases. Mission accomplished!

With people that wise in government, I guess the US really doesn't need enemies.

A little help here? (2)

PopeRatzo (965947) | about 2 years ago | (#39688709)

Would it have killed all the "security researchers" who wrote or compiled all the articles behind all the links in this story to maybe list the apps that have been found to have trojans?

I mean, Android users might find that information useful and it might actually help minimize the damage from these apps.

Right now, it's like a news story that tells us "Three common home products have been proven to cause deadly forms of cancer" without mentioning which products they are.

GOOD POINT & I agree (slightly diff. reasons) (0)

Anonymous Coward | about 2 years ago | (#39689301)

Whenever I see an article dealing in malware, I have found that the BETTER ONES list actual IP addresses OR host-domain name lists for botnet C&C servers (which I add the ip addresses to my software firewall rules table in Windows via powershell & the host-domain lists to that AND my hosts file (for layered-security/defense-in-depth purposes).

* After all, you're "reading up" on the stuff, to GET pertinent information, & to me? I hear exactly what you're saying... it's NOT ENOUGH to say "there is malware here" but where it's coming from (or in your case, its name).

APK

P.S.=> To me? It's like getting ready to eat a good meal, only to find it has NO flavor (or I suppose for a better analogy for us both? No nutritional value..)

... apk

It's what I've been saying here all along... apk (0)

Anonymous Coward | about 2 years ago | (#39688889)

Getting "downmodded" for it rampantly by offended "penguins" no doubt: ANDROID's @ the "top-of-the-food-chain" on smartphones, & what happens then? YOU GET ATTACKED!

* It's no different than what has happened to Windows for decades now really - once you're the "top dog" (most used/biggest market-share)? You're going to be "targetted for termination!"

I use this analogy here a lot in regards to it:

Malware maker of today, are criminals (not just kids in their basement doing it for shits & giggles) - they're after your monies &/or personal information (like Credit Card #'s, which is of course again, your "$"):

They're just like pickpockets (my fav. to compare them to) - They don't go after OS's that aren't widely used, and avoid ones that "techno geeks" use on PC's (like Linux, which also gets the benefits of "least used" in 1 respect - 'security-by-obscurity' thru lower marketshare/usage on PC's)...

They go where the LARGEST #'s of folks are, & especially "non-techie" types: Smartphones = ANDROID (like for PC's its Windows).

That yields a BIGGER/BETTER "ROI" in terms of time put in for creating their malwares (which, on an 'educated guess' from building freeware/shareware on the side myself for many years ontop of work-related duties in the past, is about 1 month tops) - So, they attack ANDROID like mad!

Linux derivant or not, it's also PROOF that even Linux != invulnerable (despite YEARS of hearing that on /. along the lines of "Linux = Secure & Windows ! = Secure)).

APK

P.S.=> It was BOUND TO HAPPEN, & here 'tis folks... too bad, because ANDROID's pretty nifty stuff on smartphones, but in a way (making lemonade outta lemons)? It's NOT BAD: Simply because these malware makers are THE BEST "R&D" THERE IS FOR ANDROID AS AN OPERATING SYSTEM - they point out where the "holes" are so that GOOGLE can "shore them up". Always a 'bright-side' in everything...

... apk

Re:It's what I've been saying here all along... ap (1)

cynyr (703126) | about 2 years ago | (#39689545)

I don't think that anyone said that linux with a dumb user is secure. What was the point was back then you could install malware on a windows computer simply by connecting to it, loading a malformed picture, or any other number of things that even a smart user couldn't prevent.

Now how many of these apps can self install on an android phone without the owners knowledge? how is that any different that say, around the year 2000 when your mom/grandma/uncle/younger brother would just click and download and install any link/program they found on the internet? People really need to realize that these smartphones really are just tiny portable computers that happen to have phone programs installed by default, all the same things you have to do on your computer to keep it safe apply on them as well.

Right - that was part of my point (see quote) (0)

Anonymous Coward | about 2 years ago | (#39690819)

"They're just like pickpockets (my fav. to compare them to) - They don't go after OS's that aren't widely used, and avoid ones that "techno geeks" use on PC's (like Linux, which also gets the benefits of "least used" in 1 respect - 'security-by-obscurity' thru lower marketshare/usage on PC's)... They go where the LARGEST #'s of folks are, & especially "non-techie" types: Smartphones = ANDROID (like for PC's its Windows)." - MYSELF -> by Anonymous Coward on Saturday April 14, @06:16PM (#39688889

I don't call them "dumb" though - just ignorant of things online... innocents really, when you come right down to it.

* Hence, the boldes portions of the quotation above... Again though, on malware makers (even though they're misguided thieves & scum basically): They DO show GOOGLE (& perhaps even the Penguins crew that maintains & codes Linux itself) where the holes are, or potentials for them, & gives them impetus + perhaps even ideas how to "shore them up"...

AND?

I *think* you're going to like THIS:

"you could install malware on a windows computer simply by connecting to it, loading a malformed picture, or any other number of things that even a smart user couldn't prevent." - by cynyr (703126) on Saturday April 14, @07:53PM (#39689545) Homepage

This 'smart user' can, even on Windows (modern Windows, that is, even running as admin & it's only about 5 minutes time to setup really).

I run as a member of the "administrator class" users, but in a special "limited administrator class" (what I call it @ least) type user!

Just like you see on how MacOS X makes you LITERALLY "login" to install apps, like it or not.

So, how to stop ME, from screwing myself on taking chances on messing up as you state?

Even when the crap might be trying to install without me realizing it, say, invisibly??

This is how, & it works - So, yes, just like MacOS X does it?

It can be done on Windows, and I am honestly surprised it's not (especially when running as admin, vs. what you noted above, because this? This stops that kind of crap, even when running as admin):

The settings to examine & change are as follows in gpedit.msc &/or regedit.exe:

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin

(Set as PROMPT FOR CREDENTIALS)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser

(Set as Automatically deny elevation requests)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

OR

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableVirtualization

(Set as ENABLED)

---

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

OR

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableUIADesktopToggle

(Set DISABLED)

---

* There you go... you can do all of what you state, & more, easily enough, but instead by using NATIVE TOOLS already present in Windows itself in, gpedit.msc or regedit.exe!

APK

P.S.=> To even FURTHER enhance that, albeit @ the application level? You can use taskmgr.exe, & set UAC Virtualization ENABLED on ANY RUNNING APP too: Further sealing it off from infecting/infesting other running apps or the entire OS by every users' profile, by simply right clicking on running apps & changing their UAC virtualization level (this prevents ENTIRE OS & all users profiles from infestation, isolating it to 1 single user only (ala a test profile used to test possibly virus ridden programs, OR, to isolate problem programs like webbrowsers in the past & Adobe's JAVA products or javascript using tools (since those latter 2 are the PREVAILING largest infectors out there now, in JAVA &/or ADOBE apps))... apk

Yes, tyranny is better. (0)

Anonymous Coward | about 2 years ago | (#39689105)

"Whatever critics may say about China, which is significantly more selective about the freedoms it allowss, complaints about crime aren't one of them"

Typical Google. (2)

DaneM (810927) | about 2 years ago | (#39689919)

Google's always been awful about not checking its ads for malware, so I see this as no big surprise. In my experience, the text links at the top of my Gmail page have been about 95% scam and malware sites, akin to the stuff I find in my spam box. (I've since installed a browser extension to disable such ads.) Google has thus shown a previous utter disregard for ensuring the sanitation of their profit centers, so I fully expect this new "app store" (no, I don't care that it's called "Google Play;" I'll call a spade a spade, thank you very much) will be much the same until Google gets sued or some such. (In other news, I seem to recall them being sued in Australia or the EU for their fraudulent ads.)

First 4ost (-1)

Anonymous Coward | about 2 years ago | (#39690037)

Xthat sorded,

freeeeeedom (1)

Garybaldy (1233166) | about 2 years ago | (#39690091)

H'm the freedom to do whatever I want within the law. With the risk of something possibly going wrong.
Or
Being ruled with an iron fist. With little chance of anything going wrong. But no guarantee.

(Mostly) Pointless Finger Pointing (1)

c1t1z3nk41n3 (1112059) | about 2 years ago | (#39691099)

I'm not sure why this has quickly devolved into a discussion over whether Android or Apple is less safe in regards to the apps available for it. A far more useful discussion would be how can we as end users protect ourselves from these practices. I like to think I'm a cut above the average person (not necessarily the average slashdotter) by being somewhat selective about the apps I install, paying attention to the permissions they request, and running an iptables based firewall to whitelist the apps that I allow network access to. Even with that though I can't claim to be immune to downloading an app that has some malware on the backend. I've resisted the idea of antivirus/antimalware programs so far as I find that my phone's resources are quite limited enough as is. I'm not all that concerned about premium SMS either as I run a prepay sim with no extra funds on it. Can anyone point out any other obvious practices I may be missing?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...