Google Pulls 21 Malware Apps From Android Market

Hugh Pickens writes writes "CNN reports that Google has pulled 21 free apps from the Android Market that, according to the company, are aimed at gaining root access to the user's device, gathering a wide range of available data, and downloading more code without the user's knowledge. Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users. The apps are all pirated versions of popular games and utilities which once downloaded, root the user's device using a method like rageagainstthecage, then use an Android executable file (APK) to nab user and device data, such as your mobile provider and user ID, and finally act as a wide-open backdoor for your device to quietly download more malicious code. 'If you've downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you can't be sure that your device and user information is truly secure,' writes Jolie O'Dell. 'Considering how much we do on our phones — shopping and mobile banking included — it's better to take precautions.'"

Exchange

[Andy+Smith]

"it might be best to take your device to your carrier and exchange it for a new one"

Yeah good luck with that.

Re:Exchange

Hmm... spend 1/2 an hour on phone with carrier just to be told to f* myself, or... download Lookout. No brainer.

Re:Exchange

[goombah99]

This advice reminds me of what became a solution rooted dells. TOss it and buy a new one. If you earn $100 and hour then yooooou cost your company about 2x in overhead. By the time you spend an hour diagnosing and 2 or 3 hours restoring your OS from scratch then you might as well have bought a more modern computer with the OS already installed.

So apparently people now have to throw their cell phones out every time they lose confidence in them. Will we have to run Virus software on all android phones? Lovely.

Re:Exchange

[Joce640k]

Who earns $100 an hour...?

Re:Exchange

[slim]

You may not earn £100 for yourself, but your employer might bill your time with customers at £100/hour.

Re:Exchange

[Quiet_Desperation]

Um, someone making $208K a year?

Re:Exchange

[a_nonamiss]

Few people "earn" $100 and hour, but I doubt you'll find a consultant (at least in my area, which is Central Ohio, not Silicon Valley) that will work for less than $100 an hour. The company I work for charges $175 an hour, and that's slightly above average for good work in my area. (We have a couple areas of specialty, such as SQL DBA work and VoIP expertise. We don't tend to do general PC support work, except on a few specific contracts where the customer requires it.) The real range is from about $100/hr (The cheapest I've seen. The particular company was run by college students, and frankly not very good if you need anything more than an anti-virus install or a new power supply.) to $275/hr. (Overpriced, highly specialized, but damn good work, from my observations.)

At $175 an hour, I've advised many clients to toss perfectly functional hardware, assuming they don't have specialized installations. It feels wrong to me on many levels, but I would feel morally terrible advising a customer to spend $500 to maybe save a P4 1.8GHz machine with 512MB of RAM. Also, I've spent much longer than 3 hours ridding computers of malware, so $500 is only the start of the equation.

Re:Exchange

[tehcyder]

You may not earn £100 for yourself, but your employer might bill your time with customers at £100/hour.

If you're being charged out at £100/hour you are probably earning about a third of that, going by the professional rule of thumb of one third salary one third overheads and one third profit.. £33/hour is about £60K/year, which sounds more likely than £200K.

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

Re:Exchange

[hairyfeet]

Question: Why is it taking 3+ hours to do a simple wipe and reinstall? You just wipe the machine, put in a pre built OS install CD/DVD with all the patches already done, put in the key on first boot, install the apps from the local server or via flash drive, done. Maybe an hour and a half tops.

Using a combination of WSUS Offline (which you can tell to include MS Office updates along with MS Essentials AV) and Ninite I can whip off a dozen boxes or more a day easy and spend less time per box than I do trying to figure where I sat my Coke down. Just a little preparation goes a long way friend.

As for TFA, welcome to the game Android users! Anything that becomes popular WILL become a target for malware as long as they can use social engineering, because it is just so damned easy to do as in TFA. I mean 50k infections and they didn't even have to write the app, just attach their malware to an existing app and upload? How easy can you get!

So welcome to the game Android users, where you have to watch out and worry about malware just like us Windows users. The donuts are over in the back, right next to the Apple users who are currently sulking after finding out shiny plastic and aluminum doesn't stop bugs. Look on the bright side, it just means you're popular now! Hell the Linux guys would kill to be that popular on the desktop! So enjoy the coffee it's fresh, meetings are on Tuesdays and Thursdays.

Re:Exchange

[fidget42]

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

Re:Exchange

[macs4all]

Question: Why is it taking 3+ hours to do a simple wipe and reinstall? You just wipe the machine, put in a pre built OS install CD/DVD with all the patches already done, put in the key on first boot, install the apps from the local server or via flash drive, done. Maybe an hour and a half tops.

Using a combination of WSUS Offline (which you can tell to include MS Office updates along with MS Essentials AV) and Ninite I can whip off a dozen boxes or more a day easy and spend less time per box than I do trying to figure where I sat my Coke down. Just a little preparation goes a long way friend.

As for TFA, welcome to the game Android users! Anything that becomes popular WILL become a target for malware as long as they can use social engineering, because it is just so damned easy to do as in TFA. I mean 50k infections and they didn't even have to write the app, just attach their malware to an existing app and upload? How easy can you get!

So welcome to the game Android users, where you have to watch out and worry about malware just like us Windows users. The donuts are over in the back, right next to the Apple users who are currently sulking after finding out shiny plastic and aluminum doesn't stop bugs. Look on the bright side, it just means you're popular now! Hell the Linux guys would kill to be that popular on the desktop! So enjoy the coffee it's fresh, meetings are on Tuesdays and Thursdays.

Um, you leave us Apple users out of this. This was ANDROID. A-N-D-R-O-I-D, not APPLE, A-P-P-L-E.

Oh, and note that, just like that OTHER malware-infested platform (Windows), the ONLY way forward seems to be either to throw perfectly good hardware away (think of the planet!); OR to "Wipe and Reload" (It so SIMPLE! It's Easy! It's FUN!).

And, just like with Windows, the Androids will be out in force, blaming the USERS for taking advantage of the ONLY "advantage" to Android: The ability to download any dodgy app you want.

But notice, the apps weren't on some dark, dank dark alley of the internet; they were on GOOGLE's OWN APP STORE! The MOTHERSHIP.

No, this is more like we'll be seeing Google announcing their new "Curated" App Store in 3... 2... 1...

Re:Exchange

[angelbar]

Presidents (officially)...

Re:Exchange

Who the hell in the IT industry is making two-hundred eight-thousand dollars a year?

Re:Exchange

[Buelldozer]

I would hope that most denizens of /. are aware of the specific imaging technologies and techniques that your mentioned.

The reason many MSPs are not using them is because of the cost of setup. It's easy to do a setup like that when the clients has 200 machines and they're all the same model. It's a bit tougher when the client has 15 machines and they all different makes and models.

Now distribute that problem across 30 clients and suddenly the automata becomes much more difficult to maintain.

Couple that with the fact that you have to get the client to PAY for doing the setup, which may never be used, and suddenly the automata becomes far less attractive.

So yes, 3 hours for a wipe and re-install is fairly normal for shops who are working primarily in the SMB space.

Re:Exchange

I already do run virus software on my Android phone. It's no big deal. It scans every app after you install it, only takes a few seconds. Also, people could learn how to install Custom ROMs on their own phones, or use a Monster File to flash back to factory condition.

Re:Exchange

[erroneus]

Hookers don't get alimony and almost never get child support. It's not a "need" but more of a business decision.

Re:Exchange

[erroneus]

The carriers, in most cases, actually do things to make this more difficult for even the most tech savvy of users, so forget about typical end users. But with that said, it would only make sense for there to be a simple kit made available by the carriers to "wipe and reflash" phones using images of their own making. Even in that case, it would be risky for typical end users to execute and would undoubtedly result in between 25% and 50% botched operations flooding customer support channels both over the phone and in local retail stores. (Not something carriers want to do)

Re:Exchange

[Archangel+Michael]

Programmers acting like Charlie Sheen?? I don't think so.

Re:Exchange

[Bassman59]

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

Witness for the prosecution: Charlie Sheen, rich guy who uses hookers. Prosecution rests.

BTW: in financial parlance, M indicates thousand, since it's an abbreviation of the Latin mille, which means "thousand." So the superstar programmer earning $10,000/yr? Yep!

Re:Exchange

[Duradin]

I call it the McCartney Equation. Take the cost of the relationship and divide by the number of days in that relationship. That is how much you could have spent on hookers per day and still broke even. (I think it worked out so that Sir Paul could have spent $5000 a day on hookers.)

If you went with a hooker every other day you could halve your expenses or get a higher quality hooker.

Re:Exchange

[Zantetsuken]

Actually, I think this is maybe the 2nd article I've seen where Google found something on the market to be malware - the other one being a proof of concept somebody put on there months back to see how many people would download it.

The majority of the articles you see mention "On 3rd party Market sites" - in other words, its the same old "warez" situation with Windows or any other OS. Cheap college kid or cheap person in general wants newly released app or game that normally costs $x.xx or $xx.xx amount of money, such as Photoshop - but because they don't want to pay for it, they pirate it from wherever they can even if it's obviously a "questionable" site, not thinking about the malware packaged in with it.

Re:Exchange

...or get a higher quality hooker.

I don't know... Whether you fly first class or coach you get to your destination at the same time.

Re:Exchange

[Chookah]

God I wish I was a programmer.... or Charlie Sheen..

Re:Exchange

[hairyfeet]

What are you talking about? I'm not talking about making a PC specific image (which works fine in corporate, but as you pointed out fails in a mixed environment) I'm talking about using a bog standard Windows CD/DVD and simply having all the patches already integrated since updating is what sucks down the time.

Just use something like Ryan VM to make you a new disc image every three months or so, and update your WSUS Offline monthly. Tada! I have a completely PC agnostic solution that seriously cuts down the time and makes it easy peasy.

So as someone who actually works in SMB/SOHO/Home users I again say "ur doin it wrong" if it is taking anywhere like three hours. Hell the longest part will be installing any custom software they have which you would have to do anyway if they replaced the box so you are saving them $0 by having them toss. All it takes is a little thought my friend. I have my WSUS Offline update monthly, I integrate patches every three in my disc images. Takes maybe an hour of it running in the background while I'm doing other things so it isn't a hardship.

If you fail to plan you plan to fail my friend, and with a little planning ahead of time it doesn't matter what kind of machine they have it is as simple as stick in CD>>>tell it to install>>go work on something else for 25-35 minutes>>insert key and activate on first boot while sticking in WSUS Offline DVD>>go back to working on something else while Windows updates (usually around 20 minutes if your images are close to current)>>go to Ninite to install common apps and then install specific company apps. Tada! About an hour and a half tops.

Re:Exchange

[treeves]

"BTW: in financial parlance, M indicates thousand..."

And as I learned in some engineering design course, the abbreviation for a $million is $MM, which makes sense, as it is a thousand thousands.

Re:Exchange

[geniusj]

I don't think I'd care if they did announce a curated market as long as it wasn't the only way to obtain apps.

Re:Exchange

[tftp]

Take the cost of the relationship and divide by the number of days in that relationship.

There are other advantages of hookers. For example:

• "Pay as you go" rate that you agree to before the fact
• Excellent availability
• Infinite variety
• No infidelity issues
• No claims on your property
• No relatives
• No chores to do, no unwanted concerts to go to
• No children
• A hooker will never give you rat poison to get rid of you.

Some say that a hooker is more likely to give you an STD, but that only depends on what kind of a wife they compare a hooker to.

Re:Exchange

[Buelldozer]

Your condescending attitude is really grating, you should drop it.

Please tell me, how does your "PC Agnostic" installation disk handle the driver problem?

Once you're over that hurdle how do you handle installing all the line of business applications and their updates?

Everyone is up to speed on WSUS offline, we have it, we use it. It's the other stuff that takes the time. The stuff that ISN'T handled by WSUS Offline and pre-patched windows installation disks.

Re:Exchange

[hairyfeet]

What is condescending about showing the answer of "shitcan everything" isn't always the best answer? not only is it EXTREMELY wasteful and bad for the environment but in the end it still takes the same time since it the company specific apps, not the OS, that uses the most time?

And EXACTLY what "driver problem" are you speaking of? The one that can be easily solved by a simple driver pack on a USB drive that costs you maybe $20 (which you can bill the client for) and just like WSUS Offline takes only a few minutes every three months to update? How is that a problem?

Unless you have some seriously funky one off drivers like C&C controllers in which case the machine isn't gonna be just tossed anyway there IS no driver problem. A good 90%+ of the devices in Windows can run just fine with the default drivers included , and if you want the latest and greatest or run into that 10% the driverpack on a USB stick has that covered and is a hell of a lot faster than any CD at being read to boot.

And installing the business apps? I got news for you you are gonna have to do that anyway since Dell isn't gonna magically have all the software they use ANYWAY. So you are saving ZERO time by bringing in the new box.

Look don't get mad at me because I show filling the landfills with working hardware isn't a good solution either from the environment or from a cost perspective. All it takes is a tiny bit of thinking ahead just a little bit, that can be ran in the background while you're being paid to do something else, that makes ALL the difference and makes Windows installs incredibly simple.

But as I said if you fail to plan then you plan to fail, and I'd argue if installing a brand new box, possibly having to clean the bloatware, and installing all of their apps, takes you less time than a simple format and reinstall then something is wrong with your automation and you really should be looking into it. But hey, if it makes you happy to cost your customers more money on unneeded hardware while tossing working machines in the dump? Hey that is your business. I'm just pointing out from both a time and business standpoint it isn't needed 95% of the time.

Re:Exchange

[Quiet_Desperation]

OK, the question was "who is making $100 an hour". Period. :-P

Re:Exchange

[mjwx]

Hookers don't get alimony and almost never get child support. It's not a "need" but more of a business decision.

When you get to 10 M p/a, you dont get hookers.

You get girlfriends that are easy to dispose of. The full on GFE (Girl Friend Experience). Then again, you can get that on 60K USD, depending on where you live.

Re:Exchange

[4phun]

"it might be best to take your device to your carrier and exchange it for a new one"

Yeah good luck with that.

There may be far more returns than expected. The story has doubled in size as Google has now killed over fifty apps from their market place according to one mobile security firm. That firm has a detailed breakdown off how the malware works. One user just reported Google killed an app he downloaded a month ago, so this has been going on for awhile.

Re:Exchange

[dupeisdead]

i myself am well versed with wsus/autopatcher/RIS/nlite/driverpack programs... but for me, one of the biggest issues is all the OTHER software that needs to be reinstalled. True, a lot of pcs have standard windows/office/ninite stuff, but there are piles of "one off" programs that need to be reinstalled. Most of those apps unfortunately cannot be done via msi/GP stuff. This also brings us to another issue - reconfiguring on a domain. A standalone PC or a huge corporate where all the machines are the same are easy. It's the smaller companies (under 100 or 50 pcs surely) which all are different. Getting the PC to new install state is easy, but reproducing the same effect is annoying.

Re:Exchange

[hairyfeet]

Oh I agree completely about the one off software and configuring the domain but as I was trying to point out to the guy that said "always shitcan and get a new one" is that you are gonna have to do that anyway because Dell isn't gonna have the specific apps and the domain setup for company X OOTB.

So as you can see simply tossing working hardware that still does its job well make no sense whatsoever since the things that are gonna suck time will have to be done either way, new or wiped and reinstalled. And as I pointed out with just a few simple free tools all the hassles of a wipe and reinstall just disappear and you are left with what you would have to do with a new box...that is installation and configuration of the company specific software and domain settings.

I just don't think the other guy liked being pointed out as wasteful simply because he didn't want to fix the PC. It is just shameful that so many would toss working hardware simply to keep from having to do the work.

Re:Exchange

You pay a hooker to leave, not to stay

What is up with Android malware?

I keep reading stories about Android malware. Why does Android attract more malware than any other phone platform?

I'm curious. It doesn't have the largest marketshare, so that argument is moot.

Re:What is up with Android malware?

[commodore6502]

Maybe for the same reason Windows does?

It's easy to root.

Re:What is up with Android malware?

[clang_jangle]

It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".

Re:What is up with Android malware?

It has the largest smart phone market share... it is posed to be the next Windows. Luckily the source code is open so people can find and root out these issues rather than being swept under the rug by some corporation where profit trumps any other concern.

Re:What is up with Android malware?

[AHuxley]

Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?
Android users are wealthy, creative, smart, well connected ect. and its 'worth' the code effort?
Or is it "Windows" easy to make a "wide-open backdoor"?
If this can be done in the wild, what can your gov do or contract to have done to your phone?

Re:What is up with Android malware?

[Stenchwarrior]

Good question. I'm not sure how it works, but perhaps Android's developer registration makes it easy to anonymously create and publish the apps, whereas Apple's store is more picky about who and what is developed/distributed? Also, maybe the "open source" platform is easier to wire malicious code into.

Re:What is up with Android malware?

[grapeape]

Its mostly open and unlike linux which has even with the best distro has an at least slight learning curve an android phone is pretty much just pick up and go. With the availability of Android phones on carriers from prepay and even free with contract and no vetting system for apps its a very easy and logical target for those wanting to do harm.

Re:What is up with Android malware?

[slim]

Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?

No need to reverse it - Android has more market share than iOS, and it's growing.

There are more Blackberries than either at the moment, though. I guess Blackberries are more tighly locked down, and their users typically don't install frivolous apps, since they are usually work assets.

Re:What is up with Android malware?

[Joce640k]

How exactly are they supposed to vet apps? Decompile them and analyse the code?

Re:What is up with Android malware?

[Neil+Boekend]

Simply: IOS is locked in. It has it's disadvantages, but also it's advantages. Presumably all software submitted is tested. It would be more difficult to get a virus through that.
The disadvantages are discussed here enough.

Re:What is up with Android malware?

[tepples]

How exactly are they supposed to vet apps? Decompile them and analyse the code?

That appears to be what Apple does, rejecting any app that calls an undocumented function name.

Re:What is up with Android malware?

[P.+Legba]

That argument never made any sense anyway. If it did, Apache would receive the greater attention from the mal-intentioned than IIS, by far.

The whole "there aren't viruses on the Mac because nobody cares about that platform" argument goes right along with it.

Re:What is up with Android malware?

For a reference on market share: http://reviews.cnet.com/8301-19736_7-20030974-251.html

Re:What is up with Android malware?

I think they would implement a method like "virus total" and install it on a new virtual android image and monitor it to see what changes it makes to the system. Simply display the changes it did and let the users or moderators decide.

Re:What is up with Android malware?

[alen]

easy for users to give permission and no one asks themselves why a wallpaper app needs root access. on iOS the phone is locked down and users can't give this access in the first place

Re:What is up with Android malware?

http://en.wikipedia.org/wiki/Android_%28operating_system%29
"Android's mobile operating system is based upon a modified version of the Linux kernel. "

Re:What is up with Android malware?

[gurner]

Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?

O/t, but something I've never got my head round with that argument... Mac OS9 had plenty more exploits than OSX has and yet the user base was significantly smaller.

Re:What is up with Android malware?

[mevets]

I see where you are going, and its dangerous territory.

Try to follow along:
1. Windows is the most secure OS ever.
2. Because it has a 90+% of the market, it attracts 100% of malware.
3. If even 1% of those malware writers targeted {other os} the world would be awash in {other os} viruses.
4. It is a good thing Windows is there to attract all this malfeasance.

So, we clear? Now, don't bother with any more pesky thinking and there won't be any problems.

Re:What is up with Android malware?

[netsharc]

How about just having a proper security system...

BlackBerries ask you for each privileged task the app wants, whether you want to always allow that task, always deny, or prompt when the app needs it...

Re:What is up with Android malware?

[maxume]

It only takes a little bit of nuance. Or do you think that malware creators completely ignore market share when deciding what platforms to target?

Of course it isn't a complete explanation of anything, but it muddies up any comparison based on active exploits.

(Windows Vista/7 has done a pretty good job of demonstrating how not great things are on XP, and Windows Vista/7 users have done a great job of demonstrating that users are still a problem)

Re:What is up with Android malware?

[DrXym]

Oh I bet they do "vet" apps, in the sense that they undoubtedly run some kind of virus scanner / pattern matcher over them. They also have reporting tools for users who think apps are malicious.

It won't catch everything of course. Neither would Apple either assuming someone anticipated how the process usually works and took steps to avoid it. e.g. it should be relatively trivial with cloud based apps to produce something that looks innocent and benign to an inspector looking at the client assembly code but which is capable of executing a remote payload when the author decides to flip a switch (e.g. when 500,000 users have installed the app).

Re:What is up with Android malware?

[DadLeopard]

How do the regular Linux repositories Vet what is in them? I thought from the very beginning that Google was making a mistake in not going the Repository route with their Apps for Android! You might as well be downloading Windows programs off of unknown websites on the net as far as I can tell!

Re:What is up with Android malware?

[h4rr4r]

The the trojan would just act nice for that test. It could use the vm hardware to figure this out or just a simple calendar check. This problem is impossible to solve without source code reviews, and even then it is very hard.

Re:What is up with Android malware?

[h4rr4r]

Too bad that testing does not work. They have had malware get into the market. This is not a simple problem to solve, you have unknown code with unknown inputs, how do you know what it does?

And remember that code may act nice in a simulator or on known test devices, or until it is downloaded by 100k users.

Re:What is up with Android malware?

And nobody's been complaining about that process!

Re:What is up with Android malware?

[h4rr4r]

They have the source, they also take user reports and test stuff, even then bad software can get through. This is just a fact of life. Even in a 100% signed corporate pay for world just one employee at MegaSoftware can add malicious code to their applications. If he is sneaky enough it will get published.

Re:What is up with Android malware?

[StikyPad]

And how does that protect against a trojan, exactly? Depending on the app, there may be nothing at all suspicious about its request for elevated privileges.

Re:What is up with Android malware?

[Mr_Silver]

It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".

The other issue is that the way the application presents the security access it needs is, for the average user, completely confusing. You install an app and it gives you a list of 7 things it needs to do including things like "read phone state" and "access internet".

For overly simple apps it may be possible for something like "access contacts data" to be picked up as nefarious by the end user - but in the vast majority of cases there is a long list of permissions and the users are given no real help in understanding what it all means. As such, they blindly accept what is presented to them because they don't understand what the phone is trying to tell them.

(Hell, if I were to decline to install any apps where I didn't fully understand the access it was asking for I don't think I'd have anything installed on my device)

In short, whilst you cannot stop stupidity, there are some pretty major flaws in the user experience which isn't exactly helping people.

Re:What is up with Android malware?

IOS is sooooo locked in that going to a webpage roots it (aka, unlocks it).

Re:What is up with Android malware?

Android roughly does this. When you install an application, it shows all the privileged actions it is allowed to do if installed.

Re:What is up with Android malware?

[natehoy]

It depends on the nature of the application. Facebook, for example, wanted access to my Blackberry address book. Not just "Deny", but "Hell, DENY!". It also wanted access to my Internet connection, which I approved. Internet is about all Facebook has access to on my phone (and it only has access to the facebook.com domain, so it can't crossscript anything on me).

Google Maps got Internet, but also wanted access to the phone, the internal network, the Bluetooth, the ... (actually, it wanted EVERYTHING, which was really creepy). It got Internet (to the Google domain only) and GPS. That's it. When I go to get directions to a contact, I have to type their address into Google Maps. I can live with that. If I find a phone number on Google Maps, I can't click on the phone number to call the business I've found, I have to rekey the number into the dialer or cut-and-paste it. I can live with that.

If someone faked an application that would realistically have asked for access to, say, my contacts list, then it's possible they could gain a copy of my contacts list, because I would have given it permission. But when I look for applications that want access to important bits of data on my BB, I vet them out pretty carefully. As in, I currently have no third party applications I feel should have access to my address book.

Games? Not so much, but any game that starts requesting access to make a phone call on my Blackberry, or asks for theme data injection, or whatever, is gonna get a big fat NO followed by an immediate uninstall and a zero-star review with WARNING POSSIBLE MALWARE - AVOID as the text of my review. And, of course, I don't install ANY applications EVER that I expect to be accessing my contacts list, so that default is "Prompt" (so I get a warning if something wants access to it).

Is a trojan impossible? Absolutely not! But at least I have some level of granular control and reporting that tells me when an app is trying to access something I find suspicious.

I also (mostly) use Blackberry App World to install my applications, so there's some chance they've been vetted. But I like that extra layer of protection that granular access permissions give me.

Re:What is up with Android malware?

[bonch]

Others will say that it's because it's an "open" platform, but that's another way of saying there's less quality control. Android isn't actually that open--it's at the whim of the carriers, who even have their own third-party stores and unremovable junkware, just like on your average OEM PC. It's the Windows model that served us so well (cough) all those years.

Re:What is up with Android malware?

Like what?

There's been cases of apps using location services for advertising, but no malware to this scale on iOS.

Re:What is up with Android malware?

[CastrTroy]

This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden". Sorry to say, but that's just the way it is. Sure many of us geeks on slashdot can handle it, but most users generally cannot. Which is why the general public love their video game consoles, iPhones, iPads, and other walled garden computing devices. Because it lets them use computers without having to think, and without having to worry about what applications might do hard to their computer.

Re:What is up with Android malware?

[georgesdev]

- apps do not get as much scrutinized as on iphone - google is desperate to have as many apps as iphone - android is more open, apps can get more access to the device's data combine all this, and you get a recipe for success, or a recipe for disaster ...

Re:What is up with Android malware?

[babblefrog]

Android does that already, essentially. This particular malware exploited OS bugs that have been known about forever, bypassing the security system. They are already fixed in the latest version of Android. The problem is that Motorola, HTC, Samsung, AT&T, T-Mobile, Verizon, etc aren't letting you have the latest version of Android, because up until now they have had no incentive to push out new versions to handsets. If it were Microsoft leaving known vulnerabilities unpatched, they would rightly be raked over the coals, and these companies should be too!

Re:What is up with Android malware?

[MobileTatsu-NJG]

If it did, Apache would receive the greater attention from the mal-intentioned than IIS, by far.

That argument assumes all attacks have the same intention. Notice Firefox has been getting more attention in recent months.

Re:What is up with Android malware?

How exactly are they supposed to vet apps? Decompile them and analyse the code?

Yes!

Re:What is up with Android malware?

[Bassman59]

This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden". Sorry to say, but that's just the way it is. Sure many of us geeks on slashdot can handle it, but most users generally cannot. Which is why the general public love their video game consoles, iPhones, iPads, and other walled garden computing devices. Because it lets them use computers without having to think, and without having to worry about what applications might do hard to their computer.

You're making a huge mistake in calling video game consoles and iOS devices and smartphones, "computers." THEY ARE NOT. These things are content-consumption appliances, not general-purpose personal computers.

These things may have processors and memory and displays and Internet connections, but then again, so do some high-end refrigerators.

If you want a general-purpose computer, buy one. If you want a cheap, portable, battery-powered device to surf the web and play games, don't buy a general-purpose computer.

It's really that simple.

Re:What is up with Android malware?

[DerekLyons]

This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden". Sorry to say, but that's just the way it is. Sure many of us geeks on slashdot can handle it, but most users generally cannot

It has nothing to do with sophistication. Geeks regard computers as toys and hobbies, the general public regards them as tools. (And geeks mistakenly think that makes them 'better' than the general public.) You see the same thing with cars, gearheads regard them as toys, while the general public regards them as tools - and like most tools they expect them to 'just work'.
 

Which is why the general public love their video game consoles, iPhones, iPads, and other walled garden computing devices. Because it lets them use computers without having to think, and without having to worry about what applications might do hard to their computer.

No, they love them because they fulfill a need, or a want, or bolster their fashion conscious ego. (And again we see a repeat of the fallacy mentioned above.)

And isn't the Google app store *supposed* to be a "walled garden"? Isn't is *supposed* to be a trusted source? That's what everyone was insisting just a few days back.

Re:What is up with Android malware?

I agree. The disappointing thing is that Android Market isn't part of that "walled garden", especially given that most Android phones are by default configured to only permit downloads from the market rather than other spurious sources.

What's needed is a balance: Divide the Market into an vetted and approved area, and a quarantine area. By default only allow users to download from the approved area, unless they choose to turn that protection off.

Re:What is up with Android malware?

Android notifies you of the privileges an app wants when you install it, giving you the option to abort the installation if you don't like what it's asking for. Granted a lot of users (self included) will just click right past that screen.

Re:What is up with Android malware?

[CastrTroy]

The problem is, is that until a few years ago there was no "content consumption device" that wasn't a gaming systems. The only way to browse the internet, and do a little light computing work (type up a letter, etc.) was to buy a full fledged general purpose computer. So while most people didn't want general purpose computers, it was the only device they could buy that would (poorly) enable them to do what they want to do. Now that these items are available, it's not any wonder why they are being adopted so fast. It's what people have been waiting for all along.

Re:What is up with Android malware?

Really? If they were analyzing the code, how did tethering get through with a flashlight app? I'm sure there's quite a number of function calls and whatnot that aren't associated with Set_Brightness() and Display_White_Background()

You also think the respective company would tell anyone that they pulled apps from their store? Hah, good luck with that.

Re:What is up with Android malware?

THIS. I liked the security domain and signing model that Java ME dumbphones have (carrier, manufacture, trusted 3rd party, untrusted third party)... the one shot 'ask the clueless user' for wide open security permissions in Android is awful. I'm suprised the mobile carriers and phone OEM's haven't pushed Google hard enough to get Android to change especially when malware and poorly written 3rd party apps in general are hitting the bottom line through device exchanges.

Re:What is up with Android malware?

http://www.readwriteweb.com/archives/android_market_share_numbers_questioned.php

Symbian and and Android top the leaderboards, both of which have some viruses (not many).

Then again, APL users think that a security vulnerability is a feature rather then a threat (PDF jailbreak, as these applications are doing precisely the same thing except adding more stuff to the download) so that significantly skews the charts.

Re:What is up with Android malware?

The biggest reason you hear about it so much is because it has the largest smartphone marketshare and is an open platform. While that may not lead to more malware, what it does lead to is more antivirus companies trying to scare the crap out of you.

Almost every single one of those stories before today has been along the lines of "Chinese people downloading unscreened pirated apps from non-official marketplaces are getting trojans".

Re:What is up with Android malware?

[zombiechan]

You're making a huge mistake in calling video game consoles and iOS devices and smartphones, "computers." THEY ARE NOT. These things are content-consumption appliances, not general-purpose personal computers.

Definition of COMPUTER
: one that computes; specifically : a programmable usually electronic device that can store, retrieve, and process data

http://www.merriam-webster.com/dictionary/computer

Re:What is up with Android malware?

[geniusj]

What's funny is on Android people would be questioning in the comments why a flashlight app needs network permissions

Re:What is up with Android malware?

[mjwx]

I keep reading stories about Android malware. Why does Android attract more malware than any other phone platform?

Answer, it doesn't.

Per infection and per % of infected to uninfected users there is more IOS malware then Android malware.

It just gets more press because certain people need android to fail.

I'm curious. It doesn't have the largest marketshare, so that argument is moot.

The fastest selling mobile platform would not garner attention from malware writers?

Re:What is up with Android malware?

[mjwx]

This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden"

How so,

Considering that most IOS malware is inside the walled garden.

Gateway based security is no security at all, you can have the worlds most expensive, efficient packet mulching firewall defeated by a USB key some attacker left lying about in the bathroom. We've know the "walled garden" is an utter security failure long before Apple tried it.

Re:What is up with Android malware?

[netsharc]

and the part about allowing the user to approve or deny EACH requested privileged action...?

Yeah, very rough indeed. You sound like a marketer, "oh yeah, our product does that too, except that it doesn't".

Re:What is up with Android malware?

[netsharc]

I know it shows you, but it doesn't allow you to approve/deny each individual privilege separately... so the BlackBerry is superior in that regard.

Re:What is up with Android malware?

[PipsqueakOnAP133]

The reason isn't what you said. Here's the reason.

On an non-jailbroken iOS device:
1) it's extremely hard to root the phone by installing an app. (I haven't seen a recent way except for the freetype exploit used for the jailbreakme.com PDF)
2) Apple vets the application before it reaches the app store, mostly by some sort of function blacklist which includes all functions built into the device that you're not supposed to call. (this also explains why tethering apps go through, it's not like a static analyzer will know it's a tethering app hidden inside a flashlight)
3) The sandbox kills attempts to call system functions that arn't allowed by either nicely rejecting your call or killing your app's process space. MMU cleans up the rest.
4) Given the sandbox and above requirements, the only personal information you can steal without the user's knowledge is the user's addressbook. You can't force a call, a force a text, or force the phone to give you the location without user intervention. So sure, you can write malware, but it's easier for the user to find out something's fishy, except for the addressbook.
5) Oh, and it's likely that if you set the flags to allow backgrounding, Apple's review process will be curious why your app's requesting background time.

So yes, it's possible to make iOS malware, but the extent of maliciousness is limited to the addressbook unless you want to be obvious... and this is assuming you make it through the app store review process.

On the other hand, it seems an APK can root your Android phone, despite the sandbox.

Between rooting the phone versus getting an addressbook, which one do you find more useful as a malware hacker?

Re:What is up with Android malware?

Android does that already, essentially. This particular malware exploited OS bugs that have been known about forever, bypassing the security system. They are already fixed in the latest version of Android. The problem is that Motorola, HTC, Samsung, AT&T, T-Mobile, Verizon, etc aren't letting you have the latest version of Android, because up until now they have had no incentive to push out new versions to handsets. If it were Microsoft leaving known vulnerabilities unpatched, they would rightly be raked over the coals, and these companies should be too!

Rageagainstthecage isn't an exploited OS "bug". It's actually pretty damned handy, dude...

Re:What is up with Android malware?

I had a BB for years and that was the one thing I loved about the security. The individual options to disable each permission. Why can't Google/Android give you the same options when you install an app... seems simple to me. I think we all know at least one user that does nothing but download lame apps, anything that is free... we reap what we sow...

Attention:

"Please use only the official Google applications for harvesting your personal information."

Summary is wrong.

[teh31337one]

The apps are all pirated versions of popular games and utilities which once downloaded, root the user's device using a method like rageagainstthecage, then use an Android executable file (APK) to nab user and device data

Not all of them are pirated versions of popular games, and most of them don't try to root your phone.

Re:Summary is wrong.

[Idbar]

I have a game from their market called "slice-it". From time to time it tries to get root permissions for who knows what reason.

Re:Summary is wrong.

[gsslay]

...for who knows what reason.

Well now you know.

Re:Summary is wrong.

[teh31337one]

It's never tried to get root permission on my phone. And superuser / taintdroid haven't showed anything either.

Re:Summary is wrong.

[Ray]

It's trying to install its partner, "dice-it".

What about a full list?

[jesseck]

The first link has a partial list (17) of the apps which were pulled- here is a full list of apps from publisher Myournet (from this site: * Falling Down * Super Guitar Solo * Super History Eraser * Photo Editor * Super Ringtone Maker * Super Sex Positions * Hot Sexy Videos * Chess * _Falldown * Hilton Sex Sound * Screaming Sexy Japanese Girls * Falling Ball Dodge * Scientific Calculator * Dice Roller * * Advanced Currency Converter * App Uninstaller * _PewPew * Funny Paint * Spider Man *

Re:What about a full list?

The partial list is probably for the same reason your list is incomplete. 4 of the titles have UTF characters in them (Japanese or Chinese?).

Since the target is English speakers then I guess it's deemed unlikely they would have an app that they could even read the name of.

Why doesn't Slashdot allow UTF characters anyway? What is this, the 80's?

Re:What about a full list?

[somersault]

FFS. I only have 2 market apps on my phone. One of them is Chess.. don't think I've actually run it yet, but this makes me want to not even try..

Re:What about a full list?

[ninjacheeseburger]

Obviously most people wouldn't be surprised that half those apps are dodgy, the real scary ones are the Scientific Calculator, Advanced Currency Converter as these sound like legitimate apps and you wouldn't think twice about installing them.

Re:What about a full list?

[teh31337one]

Is it still available in the android market? If so, it wasn't the app you installed, but another app that was malicious

Re:What about a full list?

[EvilBudMan]

Yeah, I almost downloaded that Scientific Calculator but I was too busy playing Angry Birds.

Re:What about a full list?

[SoupIsGood+Food]

There's more than one free app called Chess. If you've got the one by Aart Bik, I think you're OK - his site and his blog all indicate he's an on-the-square android dev working for Google.

Re:What about a full list?

[tehcyder]

The first link has a partial list (17) of the apps which were pulled- here is a full list of apps from publisher Myournet (from this site: * Falling Down * Super Guitar Solo * Super History Eraser * Photo Editor * Super Ringtone Maker * Super Sex Positions * Hot Sexy Videos * Chess * _Falldown * Hilton Sex Sound * Screaming Sexy Japanese Girls * Falling Ball Dodge * Scientific Calculator * Dice Roller * * Advanced Currency Converter * App Uninstaller * _PewPew * Funny Paint * Spider Man *

Neat, I've got all those!

Re:What about a full list?

How long were these games up on the Market? I also have Chess, but it's one I downloaded some time ago.

Re:What about a full list?

How long were these games up on the Market? I also have Chess, but it's one I downloaded some time ago.

IIRC, PewPew was showing up as one of the "hot" front page apps on the Market just a few days ago.

Re:What about a full list?

[RCGodward]

Not PewPew, it was SOMETHINGGARBLED_PewPew.

Re:What about a full list?

[owlstead]

OTOH, a scientific calculator that requires access to *anything* is rather suspect.

Re:What about a full list?

[alt236_ftw]

Here is a list of Myournet's apps and their package names (to avoid false positives). These are all his apps, not only the ones pulled.
Source: http://www.androlib.com/r.aspx?r=Myournet - although this will be purged quite fast I suspect.

: com.spider.man
: com.droiddream.fallingball
_Falldown : com.fall.soft.down
_PewPew: com.droiddream.pewpew
APP Uninstaller: com.app.aun
Advanced Currency Converter: power.power.rate
Chess: com.free.chess
Dice Roller: com.dice.power.advanced
Falling Ball Dodge: com.dodge.game.fallingball
Falling Down: com.fall.down
Funny Paint: proscio.app.nick.ypaint
Hilton Sex Sound: com.sexsound.hilton
Hot Sexy Videos: hot.goddchen.sexyvideos
Photo Editor: com.editor.photoenhance
Scientific Calculator : com.advanced.scientific.calculator
Screaming Sexy Japanese Girls: com.sex.japaneese.girls
Spider Man: powerstudio.spiderman
Super Guitar Solo: com.power.SuperSolo
Super History Eraser: Super.mobi.eraser
Super Ringtone Maker: com.super.mp3ringtone
Super Sex Positions: com.droiddream.lovePositions

For some reason, Chinese characters are not displayed in the post, but hey....

Re:What about a full list?

Android apps usually package binaries within the ZIP apk file. So open the apps you have and look for a rageagainstthecage.bin file inside.

Re:What about a full list?

Whew I installed Screaming Ugly Japanese Girls

Checking Security First

Even as an open market, Google should be checking the security of the apps before they're allowed to be on the market.

Can't Be Sure Your Device Is Secure?

"If you've downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you can't be sure that your device and user information is truly secure. "

You can't be sure that it will not rain this weekend. You can mostly certainly be sure that if you wipe the bootloader and OS on your device that it will be good to go. Why not put that in the article rather than creating FUD that once an Android Device is compromised you have to get a whole new phone. It's like saying you should get a whole new computer because you had a keylogger installed.

This article was not written for the tech savvy. But all that needed to be changed would be "If you've downloaded one of these apps, it might be best to take your device to your carrier and have it's OS wiped and restored, since you can't be sure that your device and user information is truly secure. "

Re:Can't Be Sure Your Device Is Secure?

Yeah, but if they convince you you need to buy a new phone, the manufacturers & carriers & google win. Who gives a shit about the real product^H^H^Hconsumer?

iPhone suddenly looks wise

[Clsid]

I think I'll stick with my iPhone, four versions already and I haven't had to deal with crap like that. Call Apple the mother of all evils if you want but they at least work their ass off so you don't have to.

Re:iPhone suddenly looks wise

[teh31337one]

Because there are no vulnerabilities on iPhone? What about http://apple.slashdot.org/story/10/08/02/126253/Browser-based-Jailbreak-For-IPhone-4-Released

Re:iPhone suddenly looks wise

[chrisgeleven]

There is an implied trust when downloading an app from the official app store that that the app is safe for use. Users are far more likely to download something from the official app store compared to going to some random web site and allowing it to install stuff on your phone.

Comparing that to going to a web site that can jailbreak you phone is not the same situation.

Re:iPhone suddenly looks wise

[teh31337one]

Just because that one website displayed a prompt, and let you know what it was doing, doesn't mean others will. Stuff can get by Apple's review system too. http://www.engadget.com/2010/07/20/handy-light-for-iphones-dirty-little-secret-tethering-video/4

Re:iPhone suddenly looks wise

That's a jailbreak, not a vulnerability. Try hacking into a non-jailbroken iPhone with a virus. It won't happen. Having the App store, in my opinion, is a trade-off: you accept only app store apps, and you (99.99% of the time - just to cover my butt) won't get a virus. Jailbreak your phone, and you can get a virus. Not that there are that many out there, even for a jailbroken iPhone. If you jailbreak it, then you need to watch your back and be careful what you download. That's fine if you don't mind the risk. Personally, I've not seen any apps out there that require jailbreaking that were worth it. I'd rather not worry about getting phone viruses, personally. Just my opinion.

As far as Android is concerned, it's a cool concept, and if it were implemented properly, it would be fantastic. Unfortunately, almost every model of phone that uses it, uses a different build of it, and so app developers have to test against 50-100 different versions of it. I think for technical users, this is okay, because we know how to fix stuff if it's not working right. For the typical mouse monkey out there who keeps looking for the "any" key and has to have their "drink holder" repaired regularly . . . well, maybe the walled garden approach is best for them.

Re:iPhone suddenly looks wise

[netsharc]

That's a jailbreak, not a vulnerability.

LOL. You visit a site using your browser, it downloads code that when run, gets root access. Luckily the jailbreakers are nice people and they prompt you before downloading that code, and after they get the root, they give it to you. What if the code downloaded itself silently, got root, and downloaded and installed malware instead?

The whole thing uses a vulnerability in the PDF rendering system by the way, which luckily (for the jailbreakers) uses a kernel function that ran as root. Yeah...

Re:iPhone suddenly looks wise

[_Sprocket_]

Bully for you. I'll stick with my Android device. I knew this was a risk when I bought one and the relative freedom is well worth it.

So should we give this horse corpse another few kicks or do you think we've gone about as far as we can go with it?

Re:iPhone suddenly looks wise

[bonch]

You don't understand. Android is based on Linux, and it's from Google--two of Slashdot's biggest loves. That automatically means it's the greatest thing ever and that no criticism is valid, and anyone who chooses an iPhone is brainwashed, dumb, trendy, and so on.

Never mind that Android isn't open due to carrier control, its unit sales are only because it's on multiple phones and carriers and gets slapped onto every crappy low-tier smartphone out there (complete with unremovable junkware), and the user interface can't even do an animated scroll without the Java garbage collector kicking in and making it choppy.

Anyone who thinks Android is some great victory should consider that Google, an advertising company, barely makes any money from it. The idea was to get phone users onto Google services so that their data could be indexed for context-sensitive ads. That's one reason that free apps are encouraged--free apps that just so happen to use Google ads. However, Android has not been a money-maker, while Apple is making ridiculous amounts of money from iOS devices. Not to mention the fact that Android phones and software are often clones of what Apple is doing, from the overall look of the phones (go look at what Android phones were originally supposed to look like before the iPhone came out) to the interfaces of the apps themselves. Apple is the winner here.

Re:iPhone suddenly looks wise

[bonch]

So, one vulnerability compared to 21 more malware apps from Android that Google had to remove? I'll take the one vulnerability.

Re:iPhone suddenly looks wise

[bonch]

What freedom do you think you have because you bought a phone with less quality control? Because that's really what you're saying.

Computing has matured. The world has trended away from the Wild West model we all suffered through on Windows where anything goes, and it's moving toward Slashdot's new favorite phrase--the walled garden. This is the model that's been in use on game consoles for years, which have crushed PC gaming in sales because people got tired of maintaining their PCs. They don't want to maintain their phone OS either.

Re:iPhone suddenly looks wise

[_Sprocket_]

Ahh - someone who hasn't had enough hits on the dead horse yet.

What freedom do you think you have because you bought a phone with less quality control? Because that's really what you're saying.

When you say "quality control", do you mean "what's good for the company?" Because that's what you're really saying. What's good for the Keeper of the Walled Garden is good for you too, right? See - we can all put words in each others mouths.

Fair point even if it can be made in a more honest way. Yes - I might be giving up some amount of quality control. But I'm also getting more general control. I'm willing to make that trade. I understand how trading away my control can be appealing - even beneficial to some. But it's not for everyone and not for me.

I should also point out how life was back in the days of Ma Bell and the very strict control they had over the POTS network due to "quality control." When we no longer had to ask Ma Bell for permission to connect MODEMs, answering machines, our own phone, etc. we saw a surge of technology and options that benefited the consumer. The old Ma Bell phones are iconic and undoubtedly top-grade devices. But I, for one, don't mind trading them for my first MODEM.

Re:iPhone suddenly looks wise

[lucas+teh+geek]

I'll match your 'what if' and raise you '21 out in the wild actual cases of malware'. Your move.

Re:iPhone suddenly looks wise

[sourcerror]

O rly?

Re:iPhone suddenly looks wise

[PipsqueakOnAP133]

Considering the exploit was against freetype, which Android versions are vulnerable to it too?

Lots of $ for Slashdot on this topic

[blahbooboo]

Wow, this is going to generate lots of ad revenue for slashdot. :) Here comes the endless rounds of android v iOS arguments...

Re:Lots of $ for Slashdot on this topic

[owlstead]

As long as the comparison is interesting, I've got no trouble with that. There is quite a lot of things to be said about both ways of operating.

There are a few things Google can do to alleviate some of this - out of the top of my head:
- create a number of "Google approved" applications (much like the Apple store, but without disallowing anything), devs have to pay Google something to have them review the code I suppose)
- split applications into categories, the categories would allow them to highlight e.g. games that require phone access and such
- let devs apply for a certificate using a strong set of credentials and let them sign their code (hard to reinforce, and criminals could "hire" people to take the fall)

I'm all for a good, technical, discussion between iOS and Android.

Open fields vs walled gardens

[UBfusion]

This kind of publicity is all that was needed to provoke a new series of commercials in the "I'm an iPhone" and "I'm an Android" line.

The challenge is now how to isolate these incidents and how to preemptively plan the prevention of the same happening to the (future) linux apps market.

Why Oh Why?

[PmanAce]

Why do people download apps with ratings of 1 star out of 5 and beforing reading the reviews that state it is malware? I simply do not get it. Maybe I should create a device where people can just randomly click on buttons and stuff without anything happening since that is what is happening right now.

Re:Why Oh Why?

[somersault]

It's not that nothing is happening. The applications still run, just with added malware in the background.

This is one reason why I have an iPhone

[chrisgeleven]

Say what you will about the App Store review policies, but at least I know someone at Apple has personally looked at every app and its update I installed on my phone so a situation like this won't happen.

Re:This is one reason why I have an iPhone

[Psiren]

but at least I know someone at Apple has personally looked at every app and its update I installed on my phone so a situation like this won't happen.

That's a "famous last words" just waiting to happen. Yes, it's arguably more unlikely. But to say it won't ever happen is just dumb.

Re:This is one reason why I have an iPhone

[teh31337one]

Case in point

Re:This is one reason why I have an iPhone

[blahbooboo]

but at least I know someone at Apple has personally looked at every app and its update I installed on my phone so a situation like this won't happen.

That's a "famous last words" just waiting to happen. Yes, it's arguably more unlikely. But to say it won't ever happen is just dumb.

Sure it can happen. But unlike the Google store, at least in theory, Apple actually reviews each app and supposedly does basic analysis and testing. Simple solution, Google should have an option or something in their store to have the app verified as passing some sort of bare minimum testing for safety and security. Google Android isn't so perfect it can't learn from others...

Re:This is one reason why I have an iPhone

[robmv]

Do Apple request source code, audit them and compile them?, NO, a smart developer just publish a very obfuscated app that start to do nasty things 6 months later of n number of application startups. A fake game, using the open source code but not open assets and name, was published on the Mac App Store (Lugaru) so unless Apple audit source code, everything is possible

Re:This is one reason why I have an iPhone

[milkmage]

the Lugaru-gate incident was about copyright.. not malware. Apple looks for code that does bad things.. they do not (and CANNOT) check to see that every single line of code in every single app is original (or at least does not otherwise violate someone eles's IP)

Re:This is one reason why I have an iPhone

[Skuld-Chan]

Apple has let things slip through. Here's some examples:

http://www.macworld.com/article/152835/2010/07/iphone_flashlight_tethering.html > app allows tethering as a hidden feature to being a flashlight tool.

http://www.appleinsider.com/articles/10/06/02/flurry_modifies_data_collection_after_being_called_out_by_steve_jobs.html > Apple themselves being surprised that Flurry was collecting info on prototype versions of iOS...

There might be more - but in both these situations here are applications doing something that Apple didn't know they were doing and they were screened applications.

Re:This is one reason why I have an iPhone

[bonch]

Right, the whole point is that it's far more unlikely.

Re:This is one reason why I have an iPhone

[robmv]

right, but the Lugaru example was given because it just needed that the scammer add some hidden obsfuscated malware code activated remotely (for example pooling some web server for activation), and you have a malware distributed to a lot of users, Apple can not guarantee that apps are safe, only that they can take it down if found. No source code, no way to know what the application do unles you decompile and check. Doing Automated test will only work like antivirus works, only for known variations of threats

Re:This is one reason why I have an iPhone

[SoftwareArtist]

An interesting (and important) question will be whether Google manages to track down the people who created this malware. The Android Market may be open, but that doesn't mean it's completely unprotected. In order to post an app, you need to register as a developer. To register, you need to pay a $25 fee, which means giving Google a valid credit card. In principle, that makes it much harder to post malware and not get caught, since they can use that credit card as a lead for tracking you down. We'll have to wait and see how well that works in practice.

Re:This is one reason why I have an iPhone

[PipsqueakOnAP133]

Indeed a human reviewer isn't going to catch everything. Nor will an automated one.
But those two are quite a bit different than malware.
Flurry was picking up on the OS version and device type, it's nothing like rooting your phone.
The flashlight with a web proxy embedded was still bound by the sandbox.

Mom would say

[Cartman's+Mom]

Oh dear....I think it’s time you and your little friends do your playing in the walled garden from now on...

Re:Mom would say

[macs4all]

Oh dear....I think it’s time you and your little friends do your playing in the walled garden from now on...

...But at least, in our Walled Garden, we'll have time to PLAY, rather than having to forever stand waiting at the gate, sword in hand, to defend ourselves against the Orcs of the Internet.

Patched.

[Zizagoo]

The exploit this malware uses was patched in 2.2.2, so this would only be able to work its magic on phones abandoned by manufacturer before being updated to Froyo and/or not running a recent Froyo/Gingerbread custom ROM. That doesn't make this any more acceptable though. Add this to more proof that a revamp in the update system is required.

Re:Patched.

so this would only be able to work its magic on phones abandoned by manufacturer before being updated to Froyo and/or not running a recent Froyo/Gingerbread custom ROM

Which is to say... most of them?

Re:Patched.

The exploit this malware uses was patched in 2.2.2, so this would only be able to work its magic on phones abandoned by manufacturer before being updated to Froyo and/or not running a recent Froyo/Gingerbread custom ROM.

So only about half of them then.

Re:Why is this guy complaining AGAIN ?

What the actual fuck?

iPhone still looks wise comparatively

[hellfire]

Because the evidence you provided was ONE issue and it was plugged quickly. And ironically, it was found by a jailbreaker and the only known exploit was to jailbreak your phone, not to root your phone and allow it to be controlled by someone else. Comparatively, here are 50,000 reasons the Android might be considered insecure.

The GP never said specifically the iPhone never had issues, and I'm not personally saying the Android is better/worse than iPhone in any way. I'm just pointing out your argument doesn't have a lot of weight.

Re:iPhone still looks wise comparatively

[trollertron3000]

Jailbreaking and rooting are the same thing my friend ;)

Re:iPhone still looks wise comparatively

[hellfire]

Your quibbling over definitions when I clearly said "Jailbreak your phone" in the context of your OWN phone, and when I clearly said "root your phone and allow it to be controlled by someone else."

Congrats, you successfully pointed out weak grammar, I'm sorry. I know what they are, but the GGP post still didn't make a weighty point about comparable security and neither have you.

Re:iPhone still looks wise comparatively

[trollertron3000]

Sorry I didn't pick up on some definition you made up and instead used the actual fucking definition. Apologies my liege.

Re:iPhone still looks wise comparatively

[trapnest]

Well sort-of. Jailbreaking is an iOS term where rooting applies to Android specifically and *nix in general.

Re:iPhone still looks wise comparatively

[Brett+Diamond]

Actually, jailbreaking is a *nix term, originating from code that is able to break out of a BSD jail. It basically refers to code that is able to access files that is otherwise protected (operating system, file protections, encryption, etc.). Rooting on the other hand refers to the ability to execute code with root privileges. Both refer to privileged escalation, jailbreak generally refers to file access whereas root generally refers to process access. Both of these terms have changes over time (e.g., Sony has a "rootkit" in some CDs that only affected MS Windows).

However, I think it is fair to say that in today's world, a jailbreak is something that is done intentionally by the owner of a device to gain access to features that are otherwise denied, whereas rooting is done by nefarious n'er-do-wells with evil intent. Oh yeah, and Sony.

Re:iPhone still looks wise comparatively

Rooting doesn't only apply to *nix. Rooting is simply gaining super user level permissions in ways that circumvent user authentication. The term is named as such due to the super user on *nix being the root account. But this term is not specific to *nix at all and I've heard it used it many different conversations about many different devices and OS's. Look up the term Rootkit, it's been around a lot longer than Android has.

Actually they pulled more than 50 apps now

At least according to lookout:
http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/

So...

[bhunachchicken]

"Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users"

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

Re:So...

[drinkypoo]

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

In the case of trojans which open your machine and download additional code, it's not going to help you one bit. The damage is already done. Are there hidden rootkits for Android phones yet?

Re:So...

[Skuld-Chan]

You can kill an app sure, but if these apps have rooted the phone - they could allow more stuff in :).

Re:So...

[Duradin]

Google good. Apple bad.

It was never bad when Google did it. It'd only be bad if/when Apple does it.

Re:So...

Are there hidden rootkits for Android phones yet?

HBGary is already working on it

Re:So...

to justify its existance google make the malware and then say look this invasive tech is a good idea! it will always be a bad idea.

Re:So...

[owlstead]

"You've downloaded a malicious app. Do you want to delete this app [yes/no/more info]?" or
"You've downloaded a malicious app. This app can be removed by downloading . Proceed [yes/no/more info]?"

This works until the app has enough access to remove the counter measures taken by Google.

Re:So...

[tlhIngan]

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

Which raises an interesting question. When Apple did it (as in, discussed the remote kill switch, they haven't actually had to use it), everyone went bat-shit crazy. When Amazon did it, ditto.

When Google does it, it's good? Sure it may be for a good purpose, but the fact that it not only exists, but is used often enough.

And hell, even Apple has a problem in that they can't cleanly remotely delete apps - they could have iTunes delete its copy of the IPA file, but there's no guarantee a user won't have other copies as well (apps can exist on the device, inside the iTunes library, and backed up, and the design of the DRM was designed for this). Hell, the noise would be incredible if iTunes had remote-delete capability.

Re:So...

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

In the case of trojans which open your machine and download additional code, it's not going to help you one bit. The damage is already done. Are there hidden rootkits for Android phones yet?

Yes, but we have not found any evidence of them yet.

Re:So...

Which raises an interesting question. When Apple did it (as in, discussed the remote kill switch, they haven't actually had to use it), everyone went bat-shit crazy. When Amazon did it, ditto.

When Google does it, it's good?

1) It's still bad when Google does it.

2)Apple and Amazon had walled-garden style app stores, so they had no reason to do it in the first place.

Drivers, not auto mechanics

[tepples]

iOS itself is malware from the users' point of view

Heck, iOS apps don't even have a list of privileges that the user can accept or decline when installing them from the App Store.

a fact easily overlooked by the brain-washed.

The unbrainwashed sometimes forget that a lot of people just want to get work done, not spend time fixing their tools. To make a car analogy: some people want to be drivers, not mechanics.

Re:Drivers, not auto mechanics

[Marcika]

iOS[...] brain-washed.

The unbrainwashed sometimes forget that a lot of people just want to get work done, not spend time fixing their tools. To make a car analogy: some people want to be drivers, not mechanics.

Better car analogy: Some people use taxis all the time rather than learning to drive themselves -- sure it costs a lot more and doesn't get you there any faster, but the high cost confers high status and both a 4-year-old and a 90-year-old could use taxis (if they could afford them).

Re:Drivers, not auto mechanics

[melikamp]

The unbrainwashed sometimes forget that a lot of people just want to get work done, not spend time fixing their tools.

Consumers believing this fallacy is what allows hardware manufacturers to ship non-free software. Free software "just works" when properly supported and is cheaper for users and HW makers. This is because its development costs are an order of magnitude smaller (not true for games, but you are talking about tools). If a nice slice of the marketplace started demanding Free software, they would start getting cheaper, better systems that don't lock them in and don't spy on their every move. To make a car analogy: some people want to own a well-documented car that can be fixed by any mechanic using generic parts, not rent a black box on wheels. Unfortunately, the marketing brainwashed people into believing that Free software is technically deficient, while the opposite is obviously true.

Re:Drivers, not auto mechanics

[RyuuzakiTetsuya]

Free software "just works" when properly supported and is cheaper for users and HW makers.

How's that working for Nokia?

Besides, free software isn't the solution to shitty software. On the phone, the stakes are much higher. I'll stick with my "locked down" iOS over an OS that might break because what I thought was an ssh client was also harvesting personal information and giving it to someone for nefarious purposes.

Re:Drivers, not auto mechanics

[melikamp]

Free software "just works" when properly supported and is cheaper for users and HW makers.

How's that working for Nokia?

What, you mean, is N900 easy to use? Jesus F. Christ, have you tried it? It's completely idiot-proof. It has apps for any IM, any email, has maps with gps, great voice interface, address book you can actually export, has firefox and an X desktop filled with 3d eye candy. Is it doing well in the marketplace? No, because no one gives a shit about running Free software, to their very own detriment, which was exactly my point.

over an OS that might break because what I thought was an ssh client was also harvesting personal information and giving it to someone for nefarious purposes.

You right, a Trojan masquerading as an ssh client is an issue every Debian user has to face sooner or... Wait a second, wtf are you talking about? You are smart enough to use busybox and ssh, but stupid enough to be fooled by a giant wooden horse? Does not fempute.

Re:Drivers, not auto mechanics

[Skuld-Chan]

The thing is - the free market takes care of you in situations like this. Those apps - I'm sure had 1 or 2 stars and market reviews along the lines of "malware" - plus the reviews I'm sure were not all that great either "Japanese screaming sexy girls" may have been popular, but its hard to mistake for anything serious like a SSH tool.

I know the CNN article said they were popular apps, but they never showed up on the marketplace home page and I've never heard of them (I've been using Android since the G1).

Also I should mention - even Apple has been a victim of malware. They themselves were shocked to notice that a company had been collecting information on internal iOS builds - they then changed the rules about what kinds of metrics apps could collect on the phone. There was that screensaver that made it onto the app store that was also a teathering tool. Apple isn't infallible when it comes to app use or claims.

Google really does have our back on this one ;).

Re:Drivers, not auto mechanics

[cowboy76Spain]

The thing is - the free market takes care of you in situations like this. Those apps - I'm sure had 1 or 2 stars and market reviews along the lines of "malware" - plus the reviews I'm sure were not all that great either "Japanese screaming sexy girls" may have been popular, but its hard to mistake for anything serious like a SSH tool.

Wow, wait a little! You:

Decide a conclussion "the free market takes care..."

Based in the conclussion, decide what must have been the facts: "I'm sure had 1 or 2 stars" and do not even check them

Assume that popular is serious... sorry, maybe the fishbowl screensaver is neither serious nor sofisticated, but that does not mean it is not popular. Check Facebook if you have any doubt.

In fact, at least 50.000 customers have been "taken care of" in spite of the free market. And has stopped due to Google "pulling a Jobs" and banning them.

Do not missunderstand me, I am tech savvy and like to check what is in my computer (no smart phone) and all of that. And I also know a lot of people have a motto (v.g. "Free market rules") and want to write it down everytime they get the chance to. But I do not think this is a news where you can say "see how free market magically solves all the problems in the world?".

Re:Drivers, not auto mechanics

[iluvcapra]

But free markets rely on proper design -- if people were allowed to sell stocks on the stock market without proper accounting or disclosures, then anyone who did disclose would be at a competitive disadvantage and there would be no disclosure, and eventually nobody would buy stocks except for a few insiders and dumb money.

If the laissez-faire outcome of only relying on "star" ranking is that only suckers and power users use the app market, then that's a market failure and bad for Android. The idea of rating a should be to evaluate the quality of an app at doing what it says it will, provided that it does nothing malicious. Fraud simply cannot be tolerated in any excessive amount, because if someone is bitten by this once and the cause is not rectified, they might just not ever use the App market again and tell their friends same.

If I were running an app market, what I might do is create a "referee" type system where some users are allowed to use a submitted app before it's released at-large, and in exchange they must show their system logs and external verification of their network usage. That wouldn't catch everything but it would catch a lot of things.

Re:Drivers, not auto mechanics

[shadowfaxcrx]

Plus he forgets that the apps only get 1 or 2 stars, and market reviews along the lines of "malware" AFTER people have already installed it. The free market doesn't take care of the leading edge so well, does it? ;)

Re:hahahaahaa

I'm sure that iOS isn't immune to this problem. It may be reduced in scope but if you can be sure that Apple doesn't have teams of people reviewing the code of Apps that they vett for the App Store.

Tivoized

[tepples]

Luckily the source code is open

The source code of the Apache-licensed Android Open Source Project is open. The source code of the proprietary drivers linked to it, not so much.

so people can find and root out these issues

Except that won't help you if the problem is in the kernel and the only phones offered by carriers with coverage in your area have been tivoized with competently locked-down bootloaders, such as anything that Motorola made after the first Droid. Or by "root out" were you alluding to installing the fix using a privilege escalation ("rooting") exploit?

Re:Tivoized

[TheLink]

The issue in this case isn't in the kernel or drivers. It's that people write malware and people are tricked into installing them.

Thank Goodness

[mattwrock]

Angry Birds wasn't on the list. It only steals my free time. I understand the sex position, hilton sex sound, and screaming sexy Japanese girls, but scientific calculator? WTF?

Re:Thank Goodness

[Evtim]

And, BTW, which scientific calculator do they mean?

https://market.android.com/search?q=scientific+calculator&c=apps

If there are more than one app with the same name, tell us from which developer are the bad ones. As far as I see the app is still there!

Re:Thank Goodness

[maxume]

Lookout blog says âoeKingmall2010â, âoewe20090202â, and âoeMyournetâ:

http://blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/

They also say that those developers have been pulled from the market.

Re:Thank Goodness

[maxume]

Slashdot chokesonquotes:

Kingmall2010, we20090202, and Myournet

Re:hahahaahaa

Naturally the cost of freedom and choice.

AV software

[ubrgeek]

So is there reliable AV software available for the droid?

Re:AV software

[peragrin]

great so now not only will the AV software use half hte CPU but also cut battery life in half too.

Re:AV software

[alt236_ftw]

Once an app has root access, it doesn't matter anymore.

A "standard" AV app for android will police only Dalvik applications.

For an app which can scan everything, it will need to operate from the Linux layer, but even then - as in any other Linux system - once an attacker gets root, all bets are off.

Confidential Business Proposal

[Jetrel]

Attention: The President/CEO
Dear Sir,

Having consulted with my colleagues and based on the information gathered from the Nigerian Chambers Of Commerce And Industry, I have the privilege to request for your assistance to transfer the sum of $47,500,000.00 (forty seven million, five hundred thousand United States dollars) into your accounts. The above sum resulted from an over-invoiced contract, executed commissioned and paid for about five years (5) ago by a foreign contractor. This action was however intentional and since then the fund has been in a suspense account at The Central Bank Of Nigeria Apex Bank.
We are now ready to transfer the fund overseas and that all you will need to do is download this App from the Android Market Place.

The transfer is risk free on both sides. I am an accountant with the Nigerian National Petroleum Corporation (NNPC). If you find this proposal acceptable, we shall require a few minor tidbits of information that we will download automatically from your phone and contacts.

(a) your banker's name, telephone, account and fax numbers.
(b) your private telephone and fax numbers -- for confidentiality and easy communication.
(c) your letter-headed paper stamped and signed.

Please reply urgently.
Best regards
Mike "Wingnut" Smith

So what's the fix?

If someone downloaded one of these apps, what's the fix to clean it out? Factory reset?

Re:So what's the fix?

[h4rr4r]

Flash a new OS on the device.

Re:Too bad

[bberens]

I'm sorry.. will keep Android from ever taking off? Android has more unit sales in the United States than any other smart phone OS. I think your statement is a bit past due.

Uh, why?

[Haedrian]

"it might be best to take your device to your carrier and exchange it for a new one"

Why can't you just factory reset it?

Re:Uh, why?

IMEI code and the unique Android code can be used to steal your electronic identity when using phone or frame you to be a criminal on other countries.

And you really dont want that!

Re:Uh, why?

[alt236_ftw]

Because the device was rooted. At which point nothing stops the malicious app from downloading compromised copies of core applications (or to download and install a new service, or get a server running) and install them in the System partition. If you factory reset, you will wipe the Data partition but the System partition remains intact (as there is no way for the device to restore it since it does not have a copy). Alternatively, you can re-flash a stock (or custom) ROM.

Re:Uh, why?

[Haedrian]

Very helpful, thanks.

Re:Uh, why?

[cheeks5965]

So what would the carriers do with these returned phones? Is it possible that i would get a refurbished phone that has already been rooted? How would i know if this were the case? Is there a way to check?

Re:Uh, why?

[alt236_ftw]

In principle here is no way of knowing if the phone has been compromised - unless you root yourself and do an md5 hash of all files in System and then compare the hashes with the someone else.

Its the same as with any other similar situation, except that in a server you can format and re-install.

The most sure-fire way is the flash a trusted ROM, which is the equivalent of the format/re-install process. Some, but not all, carriers and manufaturers offer non-OTA flash options in their websites. HTC has RUUs, Samsung has KIES (and another -more unofficial- program which I can't remember).

But in essence, you have to trust that the carrier has flashed the replacement phone you receive OR make sure you get a new phone.

Re:Uh, why?

[cheeks5965]

how do i explain that to my mom, so she knows what to do with her droid? It's easier to give her directions to the nearest apple store.

Re:Uh, why?

[alt236_ftw]

In all fairness,
How will you tell your mother that her warranty was broken because she visited a website? Not to mention, that things go through the apple app store as well.

The main problem here is perception:
What you are using is not just a (smart)phone - it is a miniature PC.

You have to treat it as such, and follow the same rules as with a laptop:
1. Don't install stuff from people you know nothing about.
2. Don't open attachments from people you know nothing about.
3. Don't click links that point to websites that you know nothing about.
4. Don't store on it stuff that will make your life a living hell if you lose it or it gets compromised.
5. Don't link it to stuff that will make your life a living hell if you lose it or it gets compromised - such as certain email accounts.

If someone can't understand the rules or is unable to follow them (due to lack of technical skills), they should have a dumbphone.

Re:Uh, why?

[cheeks5965]

so what you're saying is all of the people who want a smartphone should get an iphone, and both of the people who want a miniature pc with all its attendant security problems should get a droid. Does it come standard with a case that attaches to my belt?

Re:Uh, why?

[alt236_ftw]

Not really - the line about the void warranty on website visit is about the fact you can jailbrak an iphone by visiting a page.

What I am saying that you need to accept certain responsibilities when you have a smartphone, no matter the brand.

The fact that android was targeted this time does not mean that WM7 or the iphone wont be targetted next (and according to pwn2own the iphone just failed).

Linux

I just wish there would be really improvements to the security what application really can do and what.

Example, just for using a app what has ads, makes the application demand internet connection. It is a very silly thing to give users "Oh, it just needs full internet access for ads so go for it!"

It is too easy to give permits to make a call, receive a call, read/create/delete contacts or modify any other data.

Every thing should be separated. Every app developer should write down why those are needed and then simply, Google (or any other store maintainer) should start checking those.

I want a great security to my Android phone. I want to know when and what application is trying to do. Sudo is not anywhere secure for that, as it can be passed on Android devices as on desktops systems where you need to type user password just to get ALL:ALL rights to system. Sudo was designed to give *some* users a *one* or *few* rights to execute at *one* or *specific* computers. Never ever be a root replacement like stupid Canonical is offering it by default.

On Android if you have rooted the phone, you just need to click once the "Allow" button and as anyone know, it can be done by software itself, user never knowing it. Just reading a sensors when phone is on pocket/table/screen is turn off and malware can do what ever they want.

Apple made the true and the only good choice at the start by forcing every application and update being checked. Security is #1 thing what users respect and when it is done well, you do not even notice it, just like on iOS.

Why does Google even allow pirated versions?

This is completely unacceptable on the official market. Google can at least use a search algorithm to flag apps that have been copied from others.

Having an open market is just a bad idea. The only ones who benefit from it are those who want to push spam apps and malware. It cheapens the market and hurts the developers who actually produce high quality apps.

People can complain about Apple's App Store, but there is a reason why it is more successful than the Android Market. Google does not need to be as strict as Apple, but they should at least have some basic quality control and review the apps before being placed on the market.

Re:Why does Google even allow pirated versions?

[__aazsst3756]

DEAD ON. Mod this up!

Charlie Sheen's a programmer?

[name_already_taken]

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

He's not a programmer, but other than that detail, you just described Charlie Sheen's life pretty closely.

Invalid example

[name_already_taken]

The example you're talking about:

1. Only affects iDevices that were jailbroken - Once you do that, how can you blame Apple for anything that happens? (hint: you can't)
2. Only affects iDevices that were jailbroken and had sshd installed and the default ssh password left unchanged! (hint: don't install ssh unless you're also smart enough to change the freaking default password!)

So, really what you're saying is that if I modify a device that I've bought, and my modification causes a security vulnerability that someone else can exploit, then the original manufacturer of the device is somehow to blame?

That's just stupid.

Re:hahahaahaa

[arielCo]

So it's secure only because they're protected by their cozy cage^W walled garden ...

Re:hahahaahaa

The keyword is "Jailbroken". You bust a hole in the garden's wall & let the world inside.

Love always,
-iOS

(Look, I know that I can get malware too. I'm not stupid. But it is less likely when you have to go through app review & approval. Not impossible, but less likely.)

Maybe Apple's policies are not rooted in evil?

[kimvette]

In light of this, perhaps Apple's app store policies are not quite as evil as they appear? I like open systems, and I like open source, but if it is a choice between a free-for-all where the managers of the trusted repository won't examine submitted apps vs. Apple's where one can be reasonably sure that every app is going to be safe, the iPhone looks like a safer bet for folks who install lots of apps.

Re:Maybe Apple's policies are not rooted in evil?

[choko]

Apple pulled several apps over the last year for harvesting data without user knowledge or permission. Their approval process has less to do with app safety than most people really understand.

Re:Maybe Apple's policies are not rooted in evil?

[maxume]

Nobody particularly cares that Apple is a fascist about their app store, the complaint is that there is no way to say 'I am willing to accept the consequences, let me out of the safe zone'.

I guess there are some arguments that it simplifies support and may make for a more desirable image for the platform, but it isn't for me.

Re:Maybe Apple's policies are not rooted in evil?

What the hell is wrong with you people?

Some people abuse freedom to the detriment of others, so we're all better off with no freedom and a dictator who decides what's okay?
What the fuck? I was under the impression that here at slashdot people were reasonable-minded people with respect for freedom and openness.

Well hell, a few people misuse their freedom to commit crimes, so maybe we're all safer if no one has freedom. We'll all live in a nicely controlled environment, a la East Germany. Then we can feel nice and safe!

What the hell people.

The answer is not a restriction on freedom. The answer is, and always has been, education. Educate people on how to protect themselves from dangerous applications, and on how to not install applications that request unnecessary permissions. Android definitely needs a more prominently linked guide to explaining the permissions requested by applications, and perhaps a more fine-grained permission control system, but the answer is never a walled garden where a dictator decides everything. Unless you're David Koresh or Steve Jobs, that is.

Re:Maybe Apple's policies are not rooted in evil?

They're still evil. There's nothing stopping Apple from maintaining the same restrictive app store policies but allowing users (who are willing to take the risk) to install from other sources.

But then they wouldn't get the 30% cut from those apps. Don't let them fool you into thinking it's about anything else.

Damage is done

[mblase]

As soon as an article about something like this hits the mainstream press, the damage is done from a marketing perspective. If Android (Marketplace) loses the trust of the users, Google may never be able to make it back up.

This is the reason Apple does things the way they do. Sure, it's draconian, but remember that we're still hearing about the "death grip" issue every couple of months. If Apple allowed a single popular piece of malware into their Store, it would be news everywhere. Instead, Apple has been able to successfully preserve their image as a maker of "consumer-friendly" products.

Re:Damage is done

[choko]

Not true. Apple pulled several apps from their store over the past year for harvesting data from users without their knowledge or permission. It barely registered with the mainstream media. C-net covered it though.

End users demand games.

[tepples]

Free software "just works" when properly supported and is cheaper for users and HW makers. This is because its development costs are an order of magnitude smaller (not true for games, but you are talking about tools).

End users demand games. Look at Apple, which for a while promoted its iPod touch as a handheld gaming device to compete with the Nintendo DS.

Re:End users demand games.

[melikamp]

No argument here :)

Re:hahahaahaa

[macs4all]

before iOS gets to cocky. Can we remind people of http://apple.slashdot.org/story/09/11/08/1411259/First-iPhone-Worm-Discovered-Rickrolls-Jailbroken-Phones

Although it was only for jailbroken phones, and it wasnt malicious code, apple still got it first.

Ok, that's one. And exploiting a LONG-PATCHED vulnerability.

Now, find 20 more iOS examples, and we'll talk.

BTW, that's all that have been FOUND on the Android Marketplace; not HARDLY how many are likely to have actually been PUBLISHED there. And then there's all the OTHER sites selling Android malw... er, Apps...

I agree that with freedom comes responsibility; but this proves without question that it has NOTHING to do with WHERE an Android user actually DOWNLOADS an app from; but rather, Android's fundamentally broken marketing model: That users are smart enough to manage their own security in the face of ever-more-clever publishers of malicious applications; and that simply asking a user to review and decide on what constitutes "reasonable" permissions ONLY ONCE, DURING INSTALL TIME, is in ANY way sufficient for the AVERAGE (non-slashdot-reading) owner of an Android device.

BTW, I would LOVE to know how many bona fide "geeks" got bitten by one or more of these apps. I would bet real money that the number is not zero. Now what?

I'm really not trying to incite flames; but Google, and Android fans, HAVE to admit at this point that there is mounting evidence that the Wild West approach to App availability in the Mobile market simply doesn't work for MOST humans, period.

And once that one, now plainly dubious, "advantage" is gone with Android over iOS, then what, besides yet another race to the bottom level of quality and price, does the platform have to offer for MOST humans?

Remember, Android did NOT get popular because of the ability to download anything from anywhere (requiring the user to JAILBREAK their ANDROID device in most cases!); but primarily because people WANTED an IPHONE, but either a) Hated Apple on "religious" grounds; b) Were locked into a Carrier by contract or coverage area; or, c) Couldn't afford an IPHONE.

Re:Too bad

[bonch]

I'm sorry.. will keep Android from ever taking off?

"As an App platform." But I guess Android fanboys were too busy emotionally reacting and modding his post down to read the entire sentence.

It almost makes me want to laugh...

[DerekLyons]

Just the other day, Slashdot commenters were absolutely insisting that the only possible source of malware was 'untrusted' app stores. If only everyone got their apps from 'trusted' (read: "big corporate") websites then malware would never spread.

android broken security update

[yupa]

The update is managed by gsm carrier/phone maker and lot's of phone don't get any update.

That's a broken model.

With apple the device is close, but all devices get new update.

All version of android will got some local exploit bugs (from kernel, app running as root, ...).
This means people can create valid application (without any specific perm), that can :
- run exploit and become root
- destroy your phone (erase bootloader)
- steal your information (spy your location, your call)
- make your phone a spam relay, ...

Re:hahahaahaa

[MobileTatsu-NJG]

Tee hee

Love always,
-iOS

There's a little lesson in this for everybody in this thread: The more noisy you get about something, either pro or con, the more likely it is somebody's going to stoke the fire with comments like this. Think about that the next time you decide to bring product A into a thread about product B.

The solution is not to give up

[SuperKendall]

They have the source, they also take user reports and test stuff, even then bad software can get through. This is just a fact of life.

You can never protect anything 100%

But 90% is better than 0%.

That is why the Android market SHOULD do some vetting, and why pretty soon all Android users will probably start using the Amazon market.

Re:The solution is not to give up

[scot4875]

Actually, it's almost more dangerous for users to think, "oh, I have nothing to fear, my iOS device can't ever possibly be hacked, and Apple has my back with their vetting process" (as Apple would MOST CERTAINLY have you believe), than for a user to go to the Android Marketplace and know that, "hey, anything I install can do whatever it says in the list of permissions; maybe I should be careful."

--Jeremy

Re:The solution is not to give up

[SuperKendall]

Actually, it's almost more dangerous for users to think

If users every thought about security or privacy, you'd have a point.

But they do not, will not. You cannot possibly give them a false sense of security, when they have none to begin with.

So in the end it's FAR better to do what you can to protect them, rather than letting wolves tear at them and giving out bandages as needed.

See StenchWarrior RUN... ROTFLMAO! apk

http://yro.slashdot.org/comments.pl?sid=2015772&cid=35358632

APK

So do most of the rest of apps

[Snaller]

Ok, no, the rest of the apps don't root it and install stuff behind your back, but because of the stupid way Google has set up permissions most apps needs all kind of potentially dangerous permissions, most of them can read your phone number, if you are calling others etc - even though they don't need that but they must have the permission to do something else.

I would generally prefer Android over Ios but I don't install or buy most things because of the bad permission system, that is something google should clearly cleanup for the future.

wouldn't bet on that

[sourcerror]

I wouldn't bet on that.

Good enough?

[SuperKendall]

It scans every app after you install it, only takes a few seconds

That's all well and good unless the virus is downloaded after the install, as was the case with these 21 apps...

Name one malware that has been in App Store

[SuperKendall]

The only software I remember being at all questionable was Spyware (I think it sent some user data elsewhere the user was not expecting). There has not yet been malware in the App Store - from a practical sense the sandbox really prevents true malware from working, even if you could get it through review.

Only with one version

[SuperKendall]

IOS is sooooo locked in that going to a webpage roots it (aka, unlocks it).

Yes, but that was with an exploit in Safari, and not around for current OS versions. An app in the app store would have to include the PDF with the exploit in it, easily scanned for by the reviewers.

Re:hahahaahaa

Fuck me you're a flaming retard

Security for android

I smell money

From 21 to over 50; more complete list below

[Jaqi]

The offending apps from publisher Myournet:

Falling Down; Super Guitar Solo; Super History Eraser; Photo Editor; Super Ringtone Maker; Super Sex Positions; Hot Sexy Videos; Chess; _Falldown; Hilton Sex Sound; Screaming Sexy Japanese Girls; Falling Ball Dodge; Scientific Calculator; Dice Roller; ; Advanced Currency Converter; App Uninstaller; _PewPew; Funny Paint; Spider Man;

Over 30 more have been found by Lookout:

owling Time; Advanced Barcode Scanner; Supre Bluetooth Transfer; Task Killer Pro; Music Box; Sexy Girls: Japanese; Sexy Legs; Advanced File Manager; Magic Strobe Light; ; Panzer Panic; Mr. Runner; ; Advanced App to SD; Super Stopwatch & Timer; Advanced Compass Leveler; Best password safe; ; ; Finger Race; Piano; Bubble Shoot; Advanced Sound Manager; Magic Hypnotic Spiral; Funny Face; Color Blindness Test; Tie a Tie; Quick Notes; Basketball Shot Now; Quick Delete Contacts; Omok Five in a Row; Super Sexy Ringtones; ; ;