Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Malware "Obad" Called Most Sophisticated Yet

samzenpus posted about a year ago | from the protect-ya-neck dept.

Security 117

chicksdaddy writes "A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device, and to block attempts to remove the malicious application, The Security Ledger reports. The malware, dubbed Backdoor.AndroidOS.Obad.a, is described as a 'multi function Trojan.' Like most profit-oriented mobile malware, Obad is primarily an SMS Trojan, which surreptitiously sends short message service (SMS) messages to premium numbers. However, it is capable of downloading additional modules and of spreading via Bluetooth connections. Writing on the Securelist blog, malware researcher Roman Unuchek called the newly discovered Trojan the 'most sophisticated' malicious program yet for Android phones. He cited the Trojan's advanced features, including complex code obfuscation techniques that complicated analysis of the code, and the use of a previously unknown vulnerability in Android that allows Obad to elevate its privileges on infected devices and block removal."

Sorry! There are no comments related to the filter you selected.

So who lied? (0, Troll)

bogaboga (793279) | about a year ago | (#43931263)

Didn't they tell us that Android, being Linux based is very very safe compared to anything we'd ever seen?

Question is: Were we lied to or those who were talking about ths subject just didn't know what they were talking about?

Re:So who lied? (1)

Pseudonym (62607) | about a year ago | (#43931285)

...or perhaps "anything we'd ever seen" was a low bar?

Re:So who lied? (4, Informative)

Anonymous Coward | about a year ago | (#43932553)

Bingo!

The Australian Communications and Media Authority's statistics breakdown shows of about 16,500 infected devices online at any one time, 20 Windows viruses make up more than 16,400 of the active IPs. Rarer Windows viruses, and Mac, iOS, Linux and Android infections all total less than 100 infections.

http://www.acma.gov.au/WEB/STANDARD..PC/pc=PC_600121 [acma.gov.au]

Kasperky says:

Over a 3-day observation period using Kaspersky Security Network data, Obad.a installation attempts made up no more than 0.15% of all attempts to infect mobile devices with various malware.

http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan [securelist.com]

So to put this all in perspective, this new super-virus made up less than 0.15% of the attempts to join the 0.1% of infections that aren't Windows viruses.

If you read the Kaspersky analysis of the "super-malware", you'll see why. It ASKS for permission to install and to elevate privileges. If the user says "No", it doesn't happen.

Re:So who lied? (1, Insightful)

BasilBrush (643681) | about a year ago | (#43937197)

What percentage of ACs are Google employees making excuses?

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43937341)

Is there anything in the posing above that you can refute?

Re:So who lied? (0)

scot4875 (542869) | about a year ago | (#43937719)

Such an insightful and informative response.

--Jeremy

Re:So who lied? (1)

BasilBrush (643681) | about a year ago | (#43938085)

I reserve discussion for people who have the decency to stand by their words, and not hide behind AC posting.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43938413)

Lying tosser

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43931315)

You might find it is the software on top of linux that makes the phone as it is the bit that is shit/pwned in this case.....

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43931661)

You might find that software to be open source as well. What was all that bluster about OSS being "inherently more secure"?

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43931839)

You might find that software to be open source as well. What was all that bluster about OSS being "inherently more secure"?

This more about users and their irresponsible actions than it is about Linux, OSS, or whatever FUD someone wants to spread. I'm sure that if I acted like my iPhone was carefree and bullet proof I would end up as "one of those people" whose phones were a statistic in one of these articles.

Re:So who lied? (2)

grub (11606) | about a year ago | (#43932917)

I act "like my iPhone was carefree and bullet proof" and have since the 3GS days.

No problems here, no crazy SMS bills, etc.

Re:So who lied? (1)

DrSkwid (118965) | about a year ago | (#43933443)

It is. More secure != unbreakable.

Re:So who lied? (2)

BasilBrush (643681) | about a year ago | (#43937221)

And yet the malware numbers clearly show that Android is less secure than iOS.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43937381)

Do you have an actual evidence for that assertion?

Re:So who lied? (1)

DrSkwid (118965) | about a year ago | (#43933453)

And use the right language, it should be "less insecure". Anything else promotes the fallacy you fell in to.

Re:So who lied? (1)

jimbolauski (882977) | about a year ago | (#43935881)

You might find that software to be open source as well. What was all that bluster about OSS being "inherently more secure"?

The major security flaw that has yet to be patched on any system is the user. When security experts talk about secure systems they are talking about gaining access without the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions.

Re:So who lied? (2)

BasilBrush (643681) | about a year ago | (#43937307)

The major security flaw that has yet to be patched on any system is the user. When security experts talk about secure systems they are talking about gaining access without the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions.

Only ones that are making excuses for ill-thought out security. If the security relies on users to be informed enough to answer questions they won't understand then that's a security design fault.

The iOS system of having a single point for download of apps, and having them vetted in advance is a far better security design.

Re:So who lied? (0)

scot4875 (542869) | about a year ago | (#43937839)

The iOS system of having a single point for download of apps, and having them vetted in advance is a far better security design.

Android has the same fucking thing. Except that the user can make the choice to disable that restriction and install from any source if they'd prefer.

And iOS apps aren't vetted for shit. They're tested to see if they run and if they break any obvious community guidelines. But the numbers clearly show that iOS apps leak more personal data than Android apps. (I'll provide the same quality of citation that you have for all of your claims)

Enjoy living with your restrictions. It doesn't make any difference to me what you do. Just don't piss on our legs and tell us it's raining and expect us to believe you.

--Jeremy

Re:So who lied? (1)

BasilBrush (643681) | about a year ago | (#43938041)

Android has the same fucking thing. Except that the user can make the choice to disable that restriction and install from any source if they'd prefer.

Then it's not the same thing. It's not protecting the system from the security vulnerability the GP mentioned: "the user doing something stupid, like downloading and installing a trojan then giving it elevated permissions."

And iOS apps aren't vetted for shit.

Sure they are. That's why iOS has a tiny fraction of the malware that Android does. But more significantly is that a single point of download means that as soon as any malware is identified, Apple can stop anyone else downloading it. Android has no such safeguard.

I can see the fact that iOS is more secure than Android annoys you. It's the difference between ideology and reality.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43931317)

This is slashdot. Google is good. Microsoft is evil. We are all nerds. Logic be damned.

Re:So who lied? (4, Funny)

Anonymous Coward | about a year ago | (#43931393)

Nonono. Google is god (no spelling mistake), Apple is evil and always wrong, Microsoft irrelevant. That's the official policy. Haven't you got the memo?
Having a different opinion to that is forbidden - as per protocol.

Re:So who lied? (1)

Rooked_One (591287) | about a year ago | (#43931931)

The memo had a TPS cover sheet... Easy to throw out...

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43934815)

You forgot, it's Micro$oft

Re:So who lied? (2)

irenaeous (898337) | about a year ago | (#43931399)

Not lied to ... it used to be safer simply because widely distributed consumer Linux based devices (and hence malware targeted at those devices) didn't exists a few years ago. With the current changes in the market we will now see a flood of Android and Linux based malware.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43933367)

Android.Obad Manual removal

To remove this risk manually, please perform the following actions:

1. Open the Google Android Menu.
2. Go to the Settings icon and select Applications.
3. Next, select Manage.
4. Select the application and select Uninstall.

http://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99&tabid=3 [symantec.com]

Re:So who lied? (3, Insightful)

exomondo (1725132) | about a year ago | (#43931623)

Didn't they tell us that Android, being Linux based is very very safe compared to anything we'd ever seen?

You may have been modded down but I do see a point with your post, everybody (but not the sort of people that frequent sites like this) has been told how secure Linux systems are and since Android is a Linux system I doubt you'd find many non-techs would understand why Android being a Linux system doesn't necessarily make it secure. Any application on any system (not just Android) that can access system resources - like SMS functionality - is going to have the capacity to act maliciously so it really is up to the user to decide whether to allow that sort of access to the application, this is even more difficult if the application has a legitimate purpose in accessing such functionality.

For at least some tech enthusiasts it's fine to say 'just make it open source' and the individual can vet it - but of course the vast majority will not do that - so trusting a generally (yes none is absolutely guaranteed and some are better than others) well-vetted marketplace (Google Play, iOS App Store, Windows Store, Amazon Store?) seems to be the best bet for most people.

Re:So who lied? (-1)

Anonymous Coward | about a year ago | (#43932629)

I doubt you'd find many non-techs would understand why Android being a Linux system doesn't necessarily make it secure.

I've seen you post similar sentiments in many threads before. Just so you can update your knowledge and not keep making the same mistake over and over, please read the link here:

http://it.slashdot.org/comments.pl?sid=3833027&cid=43932553 [slashdot.org]

It explains that Android malware still makes up less than 0.01% of all active threats compared to 99.9% being Windows based. This is despite Android passing Windows in market share last year, and looking likely to pass it in installed base early next year.

So now you can let people know that "Yes", Linux/Android IS more secure.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43931627)

What's humorous is that you're going to get modded Troll, Flaimbait, Overrated etc. for telling the truth.

Re:So who lied? (1)

GRW (63655) | about a year ago | (#43932591)

One of the things that makes Linux distributions secure is that normally one installs programs from the distributions repository. All of the programs in this repository are verified and compiled by the distribution's maintainers and all packages are signed by the distribution. Android is not like this. The individual developers upload their binaries into Google Play. Google does not compile and verify the programs, they only check them for known malware. This is a weakness in Android. I wish Google had chosen GPL3 as the licence and required all programs in Google Play to conform to that licence. Then maybe there would be no Android malware to speak of, just as there is no significant GNU/Linux malware.

Re:So who lied? (1)

tlhIngan (30335) | about a year ago | (#43932963)

I wish Google had chosen GPL3 as the licence and required all programs in Google Play to conform to that licence. Then maybe there would be no Android malware to speak of, just as there is no significant GNU/Linux malware.

Yeah, but thta's because there'll be practically no Android apps at all. Sure you'll get ports of common GNU/Linux apps and utilities, but that's about it.

And nevermind the fact that GPLv2 and GPLv3 are completely incompatible. GPLv2+ and GPLv3 are fine for obvious reasons, though some of that GPLv2+ code may be mixed with GPLv2 code, making the whole work GPLv2...

And we'd still have the same problem because everyone will then install other proprietary app stores to do the same thing, and we'd still be in the same boat.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43932829)

On the desktop, Windows has the most trojans and viruses. On phones, Windows has no trojans or viruses.
On the desktop, Linux has the least trojans and viruses. On phones, Linux has the most trojans and viruses.

This is undeniable proof that trojans and viruses appear primarily on the dominant platform and not because one platform is more or less secure.

Re:So who lied? (0)

Anonymous Coward | about a year ago | (#43933867)

Well, to be fair Android is a *really poor* implementation of Linux...more like a retarded ginger headed stepchild of the real thing. For instance there's no root account or even su functionality by default. I've hacked my way thru half a dozen android phones and the lack of true Linux functionality is appalling. I mean I could make a distro that has no priviledge separation and allows stuff to be installed with a Vista or Win7 style UAC dialogue, release it into the wild and watch it get absolutely butchered by malware, then declare 'Linux is crap!' To me this is what google has done...release a swiss-cheese version of Linux plus their own equally holey userland and as a result it is being butchered by malware. I mean, if we assert for arguments sake that Android is a distro, which it clearly is, then if we wish to tarnish all other distros with the same brush we have to ask, which other distros are affected by this malware?

Re:So who lied? (1)

StoneyMahoney (1488261) | about a year ago | (#43934329)

What they neglected to say was, because phones are very tightly tied to a paid service, criminals would focus on it as soon as they realised it was worth their time to do so. Few systems have stood up to financially motivated professional crackers for very long. I would go as far as to say that promoting Android on it's Linux security aspects has probably been counter-productive with users assuming it's safe to take fewer precautions, if any at all (although I would qualify that by saying anti-virus on smartphones is still a fairly obscure concept for the general public anyway).

Follow the Money? (5, Informative)

EvilDroid (705289) | about a year ago | (#43931275)

This one should be pretty easy, no? Which premium numbers benefited from the text messages?

Re:Follow the Money? (0)

Anonymous Coward | about a year ago | (#43931591)

LOL JOE JOBS

Re:Follow the Money? (1)

currently_awake (1248758) | about a year ago | (#43931945)

You can't punish the premium number guys, they might not have anything to do with this. (They could have 4 or 5 legit numbers in the list) A better way would be to have a pop up screen/window asking permission for anything that costs money. (and have something similar for roaming costs)

Re:Follow the Money? (2)

EvilDroid (705289) | about a year ago | (#43932137)

Why would someone write malware that dumps money into some unrelated stranger's bank account?

Re:Follow the Money? (1)

Anonymous Coward | about a year ago | (#43932205)

by adding a few unrelated accounts alongside the malware author's accounts, he now has plausable deniability to say he was also just a random person targeted.

Re:Follow the Money? (1)

speederaser (473477) | about a year ago | (#43932489)

Why would someone write malware that dumps money into some unrelated stranger's bank account?

Plausible deniability.

Re: Follow the Money? (2, Informative)

Anonymous Coward | about a year ago | (#43932593)

The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks it then prompts the user and asks if they wish to allow it to be sent. It also gives the option to always allow or just allow once and no matter which you choose it will prompt any time a new number is used in the recipients field. Google should merge that code into aosp

Re: Follow the Money? (3, Insightful)

SuperKendall (25149) | about a year ago | (#43933299)

The latest version of cyanogen actually has this feature. Anytime a text is attempted to be sent to a premium number or service the OS itself blocks

Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.

Re: Follow the Money? (1)

scot4875 (542869) | about a year ago | (#43937973)

Until the malware removes the block of course... If it can escalate permissions it can probably also take out a lot of system safeguards.

And can the malware do this, or is this just uninformed conjecture masquerading as "insight" coming from an Apple troll?

--Jeremy

Re:Follow the Money? (1)

Elbart (1233584) | about a year ago | (#43933619)

SMS confirmation was released with 4.2. Too bad next to no user will get that version.

Worst malware is Google Play Store (-1)

Anonymous Coward | about a year ago | (#43931281)

....continually updates itself on my phone which has small amount of internal memory. Occasionally update settings for the apps are lost and despite my asking no updates it goes ahead and updates the lot. Next thing you know I've got a phone that won't run properly. Worst case was on my wife's phone which I had to wipe to get working again. Can't turn off updating on the Google Play store itself and certain Google services. The phone simply doesn't give you the option in some cases and doesn't honour the option in others.

Do no evil my backside.

Re:Worst malware is Google Play Store (-1)

Anonymous Coward | about a year ago | (#43931409)

Get an iPhone.

Re:Worst malware is Google Play Store (2)

radiumsoup (741987) | about a year ago | (#43931475)

or a better Android phone.

Re: Worst malware is Google Play Store (-1)

Anonymous Coward | about a year ago | (#43932683)

Your "better" Android phone has the same bugs and security design flaws as a cheap one. It's about software, stupid. It's irrelevant if you buy a Samsung or an Oppo or an HTC.

A fitting name... (3, Informative)

denzacar (181829) | about a year ago | (#43931343)

Obad is Bosnian (also Croatian and Serbian) for horse-fly. [wikipedia.org]

Re:A fitting name... (0)

Anonymous Coward | about a year ago | (#43931859)

Obad is Bosnian (also Croatian and Serbian) for horse-fly. [wikipedia.org]

Hmmm, I thought it really was "O, bad", which described each users' response when they found out their phone was pwnd.

Re:A fitting name... (1)

ArsonSmith (13997) | about a year ago | (#43932063)

stupid birther, Obad was born in Hawaii.

Vulnerability extends application's permissions? (5, Informative)

dgharmon (2564621) | about a year ago | (#43931403)

"A new malicious program that runs on Android mobile devices exploits vulnerabilities in Google's mobile operating system to extend the application's permissions on the infected device"

Yes, the vulnerability requires prompting the user to explicidly install the app and explicidly raise permissions.

"Do you want to install this application?"

"Activate device administrator?"

Re:Vulnerability extends application's permissions (3, Insightful)

Anonymous Coward | about a year ago | (#43931441)

As if that would be of any defense against the malware.
NO normal user hesitates to click OK. Most won't even understand what the messages mean. Remember : most people are not geeks.

The fault is solely on Android for not properly sandboxing apps. It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.

Re:Vulnerability extends application's permissions (4, Interesting)

phantomfive (622387) | about a year ago | (#43931835)

It's not about sandboxing, the malware uses a previously undiscovered privilege escalation exploit. It doesn't matter how good the design of your sandbox is, once that kind of exploit is found, the sandboxing is pointless.

I don't think this is going to change because Android programmers are sloppy. To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output. Google programmers have been known to publicly say bugs are no big deal [google.com] . If that attitude has really spread around the company, how capable do you think they will be of writing secure sandbox code?

Re: Vulnerability extends application's permission (0)

Anonymous Coward | about a year ago | (#43932019)

One of the reasons why I despise Google and avoid their stuff at all costs. Except web search as there is no viable alternative.

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43932179)

To give evidence of this, here is what happened to me today: I opened a few Java files from Android in Eclipse, and looked at the warnings. Within a few minutes I had found 5 different bugs just from reading the warnings in the compiler output.

Can you give evidence of this? Not doubting you, just wondering what they were.

Re:Vulnerability extends application's permissions (0)

phantomfive (622387) | about a year ago | (#43932231)

Can you give evidence of this? Not doubting you, just wondering what they were.

I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?

Re:Vulnerability extends application's permissions (1)

Anonymous Coward | about a year ago | (#43932567)

I have no doubt they are all over the place; every time I look into Android I see sad things like that. If you tell me that you've been looking and can't find anything, I'll give you some hints, but if you're not even willing to download Android and open it in Eclipse, then what's the point?

oh ok then, well i don't have the android packages or eclipse on this system, i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.

Re:Vulnerability extends application's permissions (1)

phantomfive (622387) | about a year ago | (#43932997)

i was just wondering what sort of bugs they were and given that you said it happened to you today i figured you would just be able to rattle off at least one.

NPE, unclosed resources

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43933077)

Where?

Re:Vulnerability extends application's permissions (1)

phantomfive (622387) | about a year ago | (#43933107)

Find your own! If you are having trouble, I can help you out, give you hints.

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43933205)

If you're willing to give hints, you might as well be willing to give a few file/line pointers - even without downloading the source and Eclipse, people could look at the claimed Google's incompetence here [googlesource.com] , for example. You could also submit bug reports/patches.

As it is now it sounds like karma-whoring without anything to back your words up.

Re:Vulnerability extends application's permissions (0)

phantomfive (622387) | about a year ago | (#43933293)

I know, but I feel confident enough in my own knowledge that I don't have to prove it to every AC who comes along.

People who care will find them, people who only care enough to read the comment will get only that.

Re:Vulnerability extends application's permissions (1)

ejasons (205408) | about a year ago | (#43939049)

I know, but I feel confident enough in my own knowledge that I don't have to prove it to every AC who comes along.

Yeah, it's almost like this is a discussion forum or something.

Or, you can continue being anti-social...

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43933227)

They're MY bugs! MINE! MY OWN!

I see why these bugs arent getting fixed when google has to deal with fucktards like you.

Re:Vulnerability extends application's permissions (1)

phantomfive (622387) | about a year ago | (#43933285)

hehe because Google can't afford their own QA? AOSP has caused me so much pain I owe them nothing, especially if they are too lazy to check compiler warnings. Let them rot in their own stew of incompetence.

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43934761)

If anyone was still in the dark, he's lying out of his ass atm.

Re:Vulnerability extends application's permissions (1)

phantomfive (622387) | about a year ago | (#43936237)

It's obvious which people don't try for themselves.

Re:Vulnerability extends application's permissions (4, Informative)

AmiMoJo (196126) | about a year ago | (#43933629)

Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable. Okay, it can spread through BlueTooth but that requires you have already paired your device with an infected one manually. Most people pair their devices with things like their car and headset, not other random phones.

Then when you do install the app the warning message that appears is very different to the one you see on Google Play and explains that you should not trust unknown sources. It's not like "oh another UAC prompt, click yes to continue", it is a different and more scary warning that most users will never have seen before.

It's basically like Mac or Linux malware. It exists but you have to be incredibly dumb to fall victim to it. There isn't really much more anyone can do to help people who are that stupid.

Re:Vulnerability extends application's permissions (1)

Anonymous Coward | about a year ago | (#43934383)

Okay, firstly side-loading has to be enabled to install anything that isn't on Google Play. So instantly 99.9% of users are not vulnerable.

Uhh, excuse me, Mr. Ignorant, but Google Play isn't available in some markets, such as China. So, you might want to go back and check your 99.9% figure again.

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43935661)

NFC usually does a quick bluetooth pair when transmitting small bits of data like contacts, some text, or even an image. larger files, NFC will create a simple ad-hoc wifi network. someone correct me if im wrong.

Re:Vulnerability extends application's permissions (1)

oobayly (1056050) | about a year ago | (#43933761)

When showing colleagues how to use their new Android phones I always explain the permissions to them, especially the Contacts, SMS and Calling permissions. The wording I use is "If it's something like Skype, it needs to read your contacts. If it's a football game, it doesn't - don't install it"

On more than one occasion I've been told "how am I supposed to remember that?", to which reply (I work in a motor-trade related business, so I use an obligatory car analogy) "When you drive into a petrol station, do you just blindly pick the nearest pump and start filling up?"

Most of the people who say "I'm not a geek, I can't do that" aren't stupid, they're lazy, ignorant and simply don't want to learn. I tend to try helping them, but if they show no willingness to take in what I say, I tell them that if they're not going to listen, I see no point in wasting my time.

Re:Vulnerability extends application's permissions (1)

thegarbz (1787294) | about a year ago | (#43934043)

NO normal user hesitates to click OK. Most won't even understand what the messages mean. ...

It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.

I'm sorry but the solution to a user clicking OK to an indecipherable message is to provide an indecipherable message to the user?

If Microsoft's UAC has taught us anything it is to NOT bombard the user with "Click here to make your system work" messages which only desensitize them to actual warnings.

Re:Vulnerability extends application's permissions (0)

Anonymous Coward | about a year ago | (#43934597)

It would also help to be able to selectively set permissions instead of the current all or nothing approach. For example : Yes install, but no, you may NOT access the adressbook or the SMS API.

http://forum.xda-developers.com/showthread.php?t=1719408

Read about OpenPDroid and PDroid. Too bad it doesn't come installed by default, you have to patch your Firmware. But it works all right.

Re:Vulnerability extends application's permissions (1)

Anthony Turner (2906247) | about a year ago | (#43931817)

Yeah basically this. When a user installs an app, they are told what permissions the app is asking for. You agree to to upon clicking ok. When creating these apps, it is as simple as putting a few lines of XML in the manifest for Resource to access here

Re:Vulnerability extends application's permissions (1)

Anthony Turner (2906247) | about a year ago | (#43931833)

it is as simple as putting a few lines of XML in the manifest for user-permissions to Resources

sweet! (0)

Anonymous Coward | about a year ago | (#43931429)

Glad I still use my Crackberry! No worries here.

Re:sweet! (0)

Anonymous Coward | about a year ago | (#43932511)

No apps either...

"Smart" phones... (0)

fustakrakich (1673220) | about a year ago | (#43931457)

Not so smart, are they? And out of our control. I can safely say, we made Android what it is today, another bloated mess, so we can play Angry Birds during our daily death march, I mean, commute..

Another Example of Apple's Crumbling Empire? (5, Funny)

TranquilVoid (2444228) | about a year ago | (#43931511)

Most sophisticated? Take that iOS!

Just require authentication to install anything (1)

gelfling (6534) | about a year ago | (#43931855)

Really, is it that complex?

Re:Just require authentication to install anything (1)

exomondo (1725132) | about a year ago | (#43932225)

And what authenticates it?

Re:Just require authentication to install anything (2)

smash (1351) | about a year ago | (#43933213)

As per my other post, an end user, prompted for authorisation to install something they downloaded (even if it is malicious) is going to click "yes" or enter their password. Without a development background, the source code, possibly a debugger and a few days up their sleeve, the choice to install or not is entirely uninformed.

It is blind luck as to whether or not the app they have downloaded is trojaned or not, unless it has been vetted upstream in some manner.

Re:Just require authentication to install anything (1)

gelfling (6534) | about a year ago | (#43934407)

I was thinking more along of the lines of don't allow the installation of anything unless the user punches in some always varying pin code that's sent along a different channel. It's not a wonderful fix but the simple act of forcing someone to wait and then do a few manual things might address part of the issue. After all it's not precisely that people are blindly allowing things on their phones, it's the privileges on their account that allow them to do that. At work in the Linux world if your company is good at their job, they place hard limits on what you can willy nilly install on your own laptop because Linux, unlike Windows gives them the ability to do that. Maybe what Android needs is a well deployed su- or sudo feature?

Most Sophisticated Yet? (2)

slater86 (1154729) | about a year ago | (#43931995)

The method of obtaining install permissions and privilege escalation don't look particularly "unknown".
It seems as though the app just asks for it and waits for the user to say yes.

Did I miss something or does this look like every other non-event Android malware except with a new crypto scheme?
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

The Doom Of Android (1, Troll)

SuperKendall (25149) | about a year ago | (#43933315)

It seems as though the app just asks for it and waits for the user to say yes.

Did I miss something or does this look like every other non-event Android malware

The frightening thing is that you actually believe this to be a non-event.

You sit in your high tower built atop the bones of those unfortunate enough not to understand if they should say yes or not. But hey the system lets you change wall paper really easily, so fuck the 100 million people or whatever that must perish so you can have full flexibility.

This kind of attitude is what will really kill Android, the thought that people who are too "stupid" to know when to say yes deserve what they get. Why will people stick around on a platform that continuously punishes them - by design?

Re:The Doom Of Android (2)

slater86 (1154729) | about a year ago | (#43933613)

I'm calling non-event because everytime the Media reports these "Emerging Critical Threats" like the sky is falling, a month down the track nothing happens.
Maybe, at most 1000 people in china infect their device by manually enabling side-loading for pirated apps and the rest of the world gets on with life.

I'm suggesting its not sophisticated or unknown because it just asks for permission through the intended API, i.e Not A Bug. I didn't mention anything about how the user perceives the question, that completely out of scope. If I come to your house and ask to steal all of your stuff and you say "Yes" because you didn't understand the question, that still doesn't make it a sophisticated robbery, thats just a normal robbery. We'll call it a user misunderstanding shall then we?

Re:The Doom Of Android (1)

oobayly (1056050) | about a year ago | (#43933813)

As I've said previously, most people who this will happen to are lazy, and for some inexplicable reason, proud that they don't know anything about "computers". I'm not defending the GP, it's a shit attitude for those people to have, and it's a shit attitude to say "they deserved it".

However, in my office I explain permissions (with examples) to people with new Android phones. Some make a show of saying they'll never remember that. I use a car analogy (which I've already posted [slashdot.org] - not a karma whore) which goes along the lines of "When you fill you car up, do you blindly pick the nearest pump, or do you make sure you're not putting petrol into you diesel car".

Most people aren't stupid (no matter how much we may joke about it), but many are ignorant and make a concious decision not to learn about the tools that they use day in - day out.

Re:The Doom Of Android (0)

Anonymous Coward | about a year ago | (#43938251)

is what will really kill Android

LOL at your fanboi optimism.

2 decades of Windows being pwned and Google learns (1, Troll)

gcerullo (1573093) | about a year ago | (#43932061)

...nothing!

What Happened?

Was it the fact that Android was built on Linux so they became complacent with the OS’s security policies?

Was it that they were so focused on taking the opposite approach to Apple’s curated store and seeming over-arching control that they went too far the other way?

Where did Google go so wrong? Have they gone wrong?

What will it take for them to finally do something about it because, up until now, they've barely paid lip service to the problem with their platform.

No one can say that iOS doesn’t have this problem because of a "security through obscurity" excuse as used for Mac OS when compared to Windows. iOS as a platform is just as large as Android when you count iPads and iPod touches along with iPhones.

Will Google finally break down and lock down their OS so that only curated apps can be installed? Can they after all this time?

Will they correct their broken permissions system that puts application permissions in the hands of the app developer rather than in the hands of the user where it belongs.

Re:2 decades of Windows being pwned and Google lea (0)

Fnord666 (889225) | about a year ago | (#43932701)

What will it take for them to finally do something about it because, up until now, they've barely paid lip service to the problem with their platform.

It will take them being held financially responsible for the damage caused by their lackadaisical attitude toward the issue.

Re:2 decades of Windows being pwned and Google lea (4, Insightful)

smash (1351) | about a year ago | (#43933189)

2 decades of Windows being pwned and Google learns... nothing

So, so much this.

Relying on the end user to magically be aware that stuff they are signing is not trojaned, reputable, etc. is not going to work. As demonstrated by Microsoft for the last 30 years, and as demonstrated in the unix world since the 70s.

I've been saying for some time that Android is the Windows of the mobile world. Not because of the code-base or even quality of the code-base, but due to the design decision to push security back on the end user. 99.999% of us are not security experts.

Virus scanners are a waste of resources (cpu/storage and thus, battery).

Vet executables at the source. If the user wants to run their own code, provide a code signing mechanism (this can be done on iOS with a dev account, sure there is a cost argument but the technical benefit is huge. if it was free and there was sufficient verification of an individual's identity to prevent issuing multiple certs to the same person, the money issue could go away. at the moment the cost is there to make obtaining thousands (say) of code-signing certs impractical for a malware author). If apple included a code-signing cert for the end user to "bless" their own (or downloaded) code with for use on their own devices, would people's bitching about not "owning" their iOS device change?

This is the single biggest reason I am an iOS user. I've been around long enough to know not to trust myself or any of my users to vet apps themselves (no one has the time or skillset or tools to do it anyway). I have no faith in the security of a device which can run any code from anywhere being in the hands of an end user (including myself) who is not capable of verifying whether or not code is malicious.

No it is not a 100% solution and there is every chance that malware slips through, however once it has been reported to the distribution point, its cert can be revoked to stop it spreading any further.

Yes, exploits can be created if the signing mechanism is secure, but that is an implementation issue, not a core design issue, and can be fixed.

Re:2 decades of Windows being pwned and Google lea (0)

Anonymous Coward | about a year ago | (#43934473)

So based on this rationale, do you only talk to people on the street who are "pre-screened"?

Life involves risk.

Really (0)

Anonymous Coward | about a year ago | (#43935879)

That's your best rebuttal?
he made an informed and honest post
and your response is ...that.

Re:2 decades of Windows being pwned and Google lea (1)

scot4875 (542869) | about a year ago | (#43938387)

This is the single biggest reason I am an iOS user.

Oh, good for you. And many of the rest of us have either weighed the benefits/potential drawbacks and seen that there is effectively no difference between the two approaches, except that Android's approach gives the user far more control; OR, the the case of the vast majority of people, have given it no thought, and went with whatever device they thought looked prettiest and ended up with an iPhone or an Android phone.

If you enjoy your walled garden -- fine. Hang out in there and talk about how beautiful it is. There might be a few more weeds out here in the rest of the world, but they aren't common and aren't particularly dangerous. I'm sorry that you've convinced yourself that they are and that it has made you too fearful to try something different, instead rationalizing your restrictive choices.

--Jeremy

Spread via bluetooth? (1)

Anonymous Coward | about a year ago | (#43932147)

However, it is capable of downloading additional modules and of spreading via Bluetooth connections.

If that's what it looks like, it's the first I've heard of that doesn't need user interference to spread. That's a Big Deal, unlike anything in most of these stories.

Phone companies that withold updates are to blame! (0)

Anonymous Coward | about a year ago | (#43933109)

Phone companies that withold updates are to blame!

Often the holes have been patched but since they want to sell you a new phone and/or get you under a new contract, they refuse to update the software on older phones.

This is exactly like them pretending they can't track stolen phones and disable them. It's already done in other countries.

so... (0)

smash (1351) | about a year ago | (#43933125)

... where's the iOS version? Oh wait...

I was prompted .. so I came xD (1, Interesting)

OhANameWhatName (2688401) | about a year ago | (#43934047)

Where does Google sit in the Android heap? They don't sell the phones, they don't take responsibility for the impact of the Malware? Oh yeah! That's right, they just develop the software then 'give it away' to the world .. warts and all.

It sickens me a great deal to see the Google's, Facebooks & Microsoft's of the world just sit back in their soft leather sided armchairs watching other people to discover the security flaws in their software. Microsoft has done it for years with the third party 'Virus Scanner' software providers. Now Google has picked up on the trend .. they can write the software which mines whatever information is useful to their behaviour analysis software without taking any responsibility for the damage they do.

This is what I call an unsustainable business practice. People have to wake up to the understanding that they're being abused. But far, far more importantly .. corporations need to understand that there is no competition, just compromise.

Yet it still lists all the obvious permissions (1)

AC-x (735297) | about a year ago | (#43934483)

I don't get it, if the malware has the ability to "exploit vulnerabilities in Google’s mobile operating system to extend the application’s permissions on the infected device" then why does it need to ask for a bunch of obviously suspicious permissions [wp.com] ?

Seems like whatever vulnerability they're discovered must be relatively minor or they wouldn't need to ask for any additional permissions.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?