Slashdot Mirror
Malicious App In Android Market
dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?
This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.
Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.
Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.
Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.
Seriously, though, how do you communicate this to your standard, non-techie user?
iPhone's vetting process has a "AT&T doesn't like it, so Apple will deny" clause that the jailbreak stores don't. Apple then claims that jailbroken apps could be trojans that will overload AT&T's network.
Google seems to be taking a "we'll do what we want and carriers can't stop us" attitude. Good luck with that.
This app is just another vector in the long history of internet phishing attacks
The problem isn't technical, but rather lack of user training
The internet is not a safe place. If you want to use it openly, you better not be gullible and hand out your info to anyone who asks.
One solution would be to setup the phone for your non-techie friend, and whitelist all the apps that they'll need that should have internet access. Yes, this means they'll have limited use of new apps, but if they can't figure out when not to give out her bank details, they aren't sufficiently trained to safely use the internet.
Tragedy of the Commons comes to mind here. People around here like to bitch about Apple's policies with their app store, but I understood the reasoning behind it from the beginning. The average consumer doesn't know better. A cute app that is malicious can spread to millions of users before someone wises up. And it only takes one or two to make people fearful of the platform.
It will be fun to see if the carriers take advantage of this and try to get control over the handsets back in their court as opposed to that of Google. If it happens a couple more times, I can the Verizon App store popping up and a Verizon UI required on all android phones that only allow users to use their store. And I'm sure a lot of the apps will require extra "monthly" fees.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
An iPhone-like vetting process would be "we'll reject it if we don't like the look of it". How about "Linux-distro style vetting process"?
The iPhone vetting process is closer to Slifox's "error on the side of caution" method on his outbound firewall, with the default being set to DROP (deny the app), followed by a specific whitelist (approved apps subject to continuous monitor for "good behaviour").
Quite a number of approved apps in the iPhone App Store have been caught out doing naughty things like accessing and sending "home" users' Contacts - email addresses, phone numbers and home/work addresses - where they really had no business requiring such information for their function (battery charge display apps, games etc) and have promptly been expelled from the app store - quite rightly in my opinion.
The price of true freedom is eternal vigilance, not laissez-faire do-what-you-please laxity...
I get up, I get down...
Why on Earth would you download a 'bank' app from anyone other than *YOUR BANK*? I'm only gonna do online banking from the website or apps provided to me directly from my bank. I'm not gonna download anything from the Android market, from some random user, and do banking with it. Who thinks that it's a good idea to do 'banking' with an app by a random developer? I mean, *maybe*, maybe if it was someone large and established, like IBM, Google, Microsoft, or Apple, I *might* consider using third party software, but certainly not anyone I've never heard of before.
Quite easy to give and verify a fake address, especially if it's in a foreign country.
Once again, easy to do with a foreign bank.
There are plenty of easy ways to prove addresses that can be easily faked, bank statements, utility bills. Plus there is the idea of using someone else's identity entirely.
Let me put it this way, anyone smart enough to develop a scheme like this is smart enough to defeat Apple's rudimentary address/credit checks.
You seem to have a lot of faith in Apple's ability to detect a hidden scam once it has already penetrated their security (the app store). It's entirely plausible that this kind of phishing go on for weeks or months without anyone noticing, especially seeing as Apple are the only watchman and considering what the average iphone user understands about information security.
Calling someone a "hater" only means you can not rationally rebut their argument.
That could work quite well, if the testers can't see the source. You could put a timebomb in an app that activates its malicious payload. This would also work better because it could allow the app to become popular and spread before it turns nasty. A datamining app that collects everything into an encrypted file (just very simple encryption in a file with a large initial size would be enough to keep people from "grepping" the contents or getting suspicious...say it's a cache file or something) and sends it off on a specific date and time could do a lot of damage.
"When information is power, privacy is freedom" - Jah-Wren Ryel