Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious App In Android Market

Posted by kdawson on from the can't-take-it-to-the-bank dept.

dumbnose writes to let us know that a fraudulent app that attempts to steal bank information has made it to the Android app store. From the alert: "NOTICE: Users of mobile devices with Android software may have noticed several applications available for download in the Android Marketplace. If you see any applications provided by the user Droid09, please do not download these applications. Android applications provided by Droid09 are fraudulent. Please remove any applications by Droid09 from your mobile device and contact your mobile provider to evaluate whether any other applications or information stored on your mobile device have been compromised." Multiple marketplaces are possible in the open Android ecosystem. Might we see the emergence of a marketplace distinguished by an iPhone-like app vetting process?

6 of 340 comments (clear)

  1. Check for the signed label! by LostCluster · · Score: 5, Insightful

    This is something that is far more unlikely to happen on the iPhone because of Apple's strict control and testing of all apps. Even the "jailbreak" stores will reject things that aren't as advertised.

    Allow open development, and you've basically got a platform that the bad guys can target. There's already standards for signing code to prove that an app came from who you thought it did.

    1. Re:Check for the signed label! by Darkness404 · · Score: 5, Insightful

      However, there is balance. Look at Ubuntu's repositories, they rarely really "reject" any applications and everything in there is more or less malware free. I can see there being a market for trusted repositories in Android also.

      --
      Taxation is legalized theft, no more, no less.
    2. Re:Check for the signed label! by dotgain · · Score: 5, Insightful

      Um, which people will notice?

  2. Re:No sandboxing? by LostCluster · · Score: 5, Insightful

    Sandboxing is an "always deny" tech that keeps legit applications from working easily. Effective, yes. Going to catch on with the average user, no.

  3. Re:Use an Outbound Firewall by dumbnose · · Score: 5, Insightful

    Sounds like a really easy way for your standard user to administer their phone. My mom would totally get that....no wait....I think I meant the opposite of that. Yeah.

    Seriously, though, how do you communicate this to your standard, non-techie user?

  4. Re:Then the developer is screwed by mjwx · · Score: 5, Insightful

    And then what do you do about the fact that you have given Apple and address they have verified

    Quite easy to give and verify a fake address, especially if it's in a foreign country.

    and paid for a $99 developer account via some means they can tract back to you

    Once again, easy to do with a foreign bank.

    There are plenty of easy ways to prove addresses that can be easily faked, bank statements, utility bills. Plus there is the idea of using someone else's identity entirely.

    Let me put it this way, anyone smart enough to develop a scheme like this is smart enough to defeat Apple's rudimentary address/credit checks.

    That's a lot of exposure for a scam that's likely to be shut down in under a day.

    You seem to have a lot of faith in Apple's ability to detect a hidden scam once it has already penetrated their security (the app store). It's entirely plausible that this kind of phishing go on for weeks or months without anyone noticing, especially seeing as Apple are the only watchman and considering what the average iphone user understands about information security.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.