Google Pulls 21 Malware Apps From Android Market

Hugh Pickens writes writes "CNN reports that Google has pulled 21 free apps from the Android Market that, according to the company, are aimed at gaining root access to the user's device, gathering a wide range of available data, and downloading more code without the user's knowledge. Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users. The apps are all pirated versions of popular games and utilities which once downloaded, root the user's device using a method like rageagainstthecage, then use an Android executable file (APK) to nab user and device data, such as your mobile provider and user ID, and finally act as a wide-open backdoor for your device to quietly download more malicious code. 'If you've downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you can't be sure that your device and user information is truly secure,' writes Jolie O'Dell. 'Considering how much we do on our phones — shopping and mobile banking included — it's better to take precautions.'"

Exchange

[Andy+Smith]

"it might be best to take your device to your carrier and exchange it for a new one"

Yeah good luck with that.

Re:Exchange

[tehcyder]

You may not earn £100 for yourself, but your employer might bill your time with customers at £100/hour.

If you're being charged out at £100/hour you are probably earning about a third of that, going by the professional rule of thumb of one third salary one third overheads and one third profit.. £33/hour is about £60K/year, which sounds more likely than £200K.

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

Re:Exchange

[hairyfeet]

Question: Why is it taking 3+ hours to do a simple wipe and reinstall? You just wipe the machine, put in a pre built OS install CD/DVD with all the patches already done, put in the key on first boot, install the apps from the local server or via flash drive, done. Maybe an hour and a half tops.

Using a combination of WSUS Offline (which you can tell to include MS Office updates along with MS Essentials AV) and Ninite I can whip off a dozen boxes or more a day easy and spend less time per box than I do trying to figure where I sat my Coke down. Just a little preparation goes a long way friend.

As for TFA, welcome to the game Android users! Anything that becomes popular WILL become a target for malware as long as they can use social engineering, because it is just so damned easy to do as in TFA. I mean 50k infections and they didn't even have to write the app, just attach their malware to an existing app and upload? How easy can you get!

So welcome to the game Android users, where you have to watch out and worry about malware just like us Windows users. The donuts are over in the back, right next to the Apple users who are currently sulking after finding out shiny plastic and aluminum doesn't stop bugs. Look on the bright side, it just means you're popular now! Hell the Linux guys would kill to be that popular on the desktop! So enjoy the coffee it's fresh, meetings are on Tuesdays and Thursdays.

Re:Exchange

[fidget42]

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

Re:Exchange

[erroneus]

Hookers don't get alimony and almost never get child support. It's not a "need" but more of a business decision.

Re:Exchange

[Bassman59]

Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

Witness for the prosecution: Charlie Sheen, rich guy who uses hookers. Prosecution rests.

BTW: in financial parlance, M indicates thousand, since it's an abbreviation of the Latin mille, which means "thousand." So the superstar programmer earning $10,000/yr? Yep!

Re:Exchange

[tftp]

Take the cost of the relationship and divide by the number of days in that relationship.

There are other advantages of hookers. For example:

• "Pay as you go" rate that you agree to before the fact
• Excellent availability
• Infinite variety
• No infidelity issues
• No claims on your property
• No relatives
• No chores to do, no unwanted concerts to go to
• No children
• A hooker will never give you rat poison to get rid of you.

Some say that a hooker is more likely to give you an STD, but that only depends on what kind of a wife they compare a hooker to.

What is up with Android malware?

I keep reading stories about Android malware. Why does Android attract more malware than any other phone platform?

I'm curious. It doesn't have the largest marketshare, so that argument is moot.

Re:What is up with Android malware?

[clang_jangle]

It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".

Re:What is up with Android malware?

[slim]

Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?

No need to reverse it - Android has more market share than iOS, and it's growing.

There are more Blackberries than either at the moment, though. I guess Blackberries are more tighly locked down, and their users typically don't install frivolous apps, since they are usually work assets.

Re:What is up with Android malware?

[P.+Legba]

That argument never made any sense anyway. If it did, Apache would receive the greater attention from the mal-intentioned than IIS, by far.

The whole "there aren't viruses on the Mac because nobody cares about that platform" argument goes right along with it.

Re:What is up with Android malware?

[mevets]

I see where you are going, and its dangerous territory.

Try to follow along:
1. Windows is the most secure OS ever.
2. Because it has a 90+% of the market, it attracts 100% of malware.
3. If even 1% of those malware writers targeted {other os} the world would be awash in {other os} viruses.
4. It is a good thing Windows is there to attract all this malfeasance.

So, we clear? Now, don't bother with any more pesky thinking and there won't be any problems.

Re:What is up with Android malware?

[netsharc]

How about just having a proper security system...

BlackBerries ask you for each privileged task the app wants, whether you want to always allow that task, always deny, or prompt when the app needs it...

Re:What is up with Android malware?

[Mr_Silver]

It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".

The other issue is that the way the application presents the security access it needs is, for the average user, completely confusing. You install an app and it gives you a list of 7 things it needs to do including things like "read phone state" and "access internet".

For overly simple apps it may be possible for something like "access contacts data" to be picked up as nefarious by the end user - but in the vast majority of cases there is a long list of permissions and the users are given no real help in understanding what it all means. As such, they blindly accept what is presented to them because they don't understand what the phone is trying to tell them.

(Hell, if I were to decline to install any apps where I didn't fully understand the access it was asking for I don't think I'd have anything installed on my device)

In short, whilst you cannot stop stupidity, there are some pretty major flaws in the user experience which isn't exactly helping people.

Re:What is up with Android malware?

[CastrTroy]

This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden". Sorry to say, but that's just the way it is. Sure many of us geeks on slashdot can handle it, but most users generally cannot. Which is why the general public love their video game consoles, iPhones, iPads, and other walled garden computing devices. Because it lets them use computers without having to think, and without having to worry about what applications might do hard to their computer.

Re:What is up with Android malware?

[babblefrog]

Android does that already, essentially. This particular malware exploited OS bugs that have been known about forever, bypassing the security system. They are already fixed in the latest version of Android. The problem is that Motorola, HTC, Samsung, AT&T, T-Mobile, Verizon, etc aren't letting you have the latest version of Android, because up until now they have had no incentive to push out new versions to handsets. If it were Microsoft leaving known vulnerabilities unpatched, they would rightly be raked over the coals, and these companies should be too!

Attention:

"Please use only the official Google applications for harvesting your personal information."

What about a full list?

[jesseck]

The first link has a partial list (17) of the apps which were pulled- here is a full list of apps from publisher Myournet (from this site: * Falling Down * Super Guitar Solo * Super History Eraser * Photo Editor * Super Ringtone Maker * Super Sex Positions * Hot Sexy Videos * Chess * _Falldown * Hilton Sex Sound * Screaming Sexy Japanese Girls * Falling Ball Dodge * Scientific Calculator * Dice Roller * * Advanced Currency Converter * App Uninstaller * _PewPew * Funny Paint * Spider Man *

Re:What about a full list?

[SoupIsGood+Food]

There's more than one free app called Chess. If you've got the one by Aart Bik, I think you're OK - his site and his blog all indicate he's an on-the-square android dev working for Google.

iPhone suddenly looks wise

[Clsid]

I think I'll stick with my iPhone, four versions already and I haven't had to deal with crap like that. Call Apple the mother of all evils if you want but they at least work their ass off so you don't have to.

Re:iPhone suddenly looks wise

[teh31337one]

Just because that one website displayed a prompt, and let you know what it was doing, doesn't mean others will. Stuff can get by Apple's review system too. http://www.engadget.com/2010/07/20/handy-light-for-iphones-dirty-little-secret-tethering-video/4

Re:iPhone suddenly looks wise

[bonch]

You don't understand. Android is based on Linux, and it's from Google--two of Slashdot's biggest loves. That automatically means it's the greatest thing ever and that no criticism is valid, and anyone who chooses an iPhone is brainwashed, dumb, trendy, and so on.

Never mind that Android isn't open due to carrier control, its unit sales are only because it's on multiple phones and carriers and gets slapped onto every crappy low-tier smartphone out there (complete with unremovable junkware), and the user interface can't even do an animated scroll without the Java garbage collector kicking in and making it choppy.

Anyone who thinks Android is some great victory should consider that Google, an advertising company, barely makes any money from it. The idea was to get phone users onto Google services so that their data could be indexed for context-sensitive ads. That's one reason that free apps are encouraged--free apps that just so happen to use Google ads. However, Android has not been a money-maker, while Apple is making ridiculous amounts of money from iOS devices. Not to mention the fact that Android phones and software are often clones of what Apple is doing, from the overall look of the phones (go look at what Android phones were originally supposed to look like before the iPhone came out) to the interfaces of the apps themselves. Apple is the winner here.

Re:This is one reason why I have an iPhone

[Psiren]

but at least I know someone at Apple has personally looked at every app and its update I installed on my phone so a situation like this won't happen.

That's a "famous last words" just waiting to happen. Yes, it's arguably more unlikely. But to say it won't ever happen is just dumb.

iPhone still looks wise comparatively

[hellfire]

Because the evidence you provided was ONE issue and it was plugged quickly. And ironically, it was found by a jailbreaker and the only known exploit was to jailbreak your phone, not to root your phone and allow it to be controlled by someone else. Comparatively, here are 50,000 reasons the Android might be considered insecure.

The GP never said specifically the iPhone never had issues, and I'm not personally saying the Android is better/worse than iPhone in any way. I'm just pointing out your argument doesn't have a lot of weight.

Re:This is one reason why I have an iPhone

[blahbooboo]

but at least I know someone at Apple has personally looked at every app and its update I installed on my phone so a situation like this won't happen.

That's a "famous last words" just waiting to happen. Yes, it's arguably more unlikely. But to say it won't ever happen is just dumb.

Sure it can happen. But unlike the Google store, at least in theory, Apple actually reviews each app and supposedly does basic analysis and testing. Simple solution, Google should have an option or something in their store to have the app verified as passing some sort of bare minimum testing for safety and security. Google Android isn't so perfect it can't learn from others...

Re:Summary is wrong.

[Idbar]

I have a game from their market called "slice-it". From time to time it tries to get root permissions for who knows what reason.

So...

[bhunachchicken]

"Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users"

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

Re:So...

[tlhIngan]

Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

Which raises an interesting question. When Apple did it (as in, discussed the remote kill switch, they haven't actually had to use it), everyone went bat-shit crazy. When Amazon did it, ditto.

When Google does it, it's good? Sure it may be for a good purpose, but the fact that it not only exists, but is used often enough.

And hell, even Apple has a problem in that they can't cleanly remotely delete apps - they could have iTunes delete its copy of the IPA file, but there's no guarantee a user won't have other copies as well (apps can exist on the device, inside the iTunes library, and backed up, and the design of the DRM was designed for this). Hell, the noise would be incredible if iTunes had remote-delete capability.

Drivers, not auto mechanics

[tepples]

iOS itself is malware from the users' point of view

Heck, iOS apps don't even have a list of privileges that the user can accept or decline when installing them from the App Store.

a fact easily overlooked by the brain-washed.

The unbrainwashed sometimes forget that a lot of people just want to get work done, not spend time fixing their tools. To make a car analogy: some people want to be drivers, not mechanics.

Re:Drivers, not auto mechanics

[melikamp]

Free software "just works" when properly supported and is cheaper for users and HW makers.

How's that working for Nokia?

What, you mean, is N900 easy to use? Jesus F. Christ, have you tried it? It's completely idiot-proof. It has apps for any IM, any email, has maps with gps, great voice interface, address book you can actually export, has firefox and an X desktop filled with 3d eye candy. Is it doing well in the marketplace? No, because no one gives a shit about running Free software, to their very own detriment, which was exactly my point.

over an OS that might break because what I thought was an ssh client was also harvesting personal information and giving it to someone for nefarious purposes.

You right, a Trojan masquerading as an ssh client is an issue every Debian user has to face sooner or... Wait a second, wtf are you talking about? You are smart enough to use busybox and ssh, but stupid enough to be fooled by a giant wooden horse? Does not fempute.

Re:Drivers, not auto mechanics

[Skuld-Chan]

The thing is - the free market takes care of you in situations like this. Those apps - I'm sure had 1 or 2 stars and market reviews along the lines of "malware" - plus the reviews I'm sure were not all that great either "Japanese screaming sexy girls" may have been popular, but its hard to mistake for anything serious like a SSH tool.

I know the CNN article said they were popular apps, but they never showed up on the marketplace home page and I've never heard of them (I've been using Android since the G1).

Also I should mention - even Apple has been a victim of malware. They themselves were shocked to notice that a company had been collecting information on internal iOS builds - they then changed the rules about what kinds of metrics apps could collect on the phone. There was that screensaver that made it onto the app store that was also a teathering tool. Apple isn't infallible when it comes to app use or claims.

Google really does have our back on this one ;).

Re:Drivers, not auto mechanics

[iluvcapra]

But free markets rely on proper design -- if people were allowed to sell stocks on the stock market without proper accounting or disclosures, then anyone who did disclose would be at a competitive disadvantage and there would be no disclosure, and eventually nobody would buy stocks except for a few insiders and dumb money.

If the laissez-faire outcome of only relying on "star" ranking is that only suckers and power users use the app market, then that's a market failure and bad for Android. The idea of rating a should be to evaluate the quality of an app at doing what it says it will, provided that it does nothing malicious. Fraud simply cannot be tolerated in any excessive amount, because if someone is bitten by this once and the cause is not rectified, they might just not ever use the App market again and tell their friends same.

If I were running an app market, what I might do is create a "referee" type system where some users are allowed to use a submitted app before it's released at-large, and in exchange they must show their system logs and external verification of their network usage. That wouldn't catch everything but it would catch a lot of things.

Tivoized

[tepples]

Luckily the source code is open

The source code of the Apache-licensed Android Open Source Project is open. The source code of the proprietary drivers linked to it, not so much.

so people can find and root out these issues

Except that won't help you if the problem is in the kernel and the only phones offered by carriers with coverage in your area have been tivoized with competently locked-down bootloaders, such as anything that Motorola made after the first Droid. Or by "root out" were you alluding to installing the fix using a privilege escalation ("rooting") exploit?

Re:This is one reason why I have an iPhone

[Skuld-Chan]

Apple has let things slip through. Here's some examples:

http://www.macworld.com/article/152835/2010/07/iphone_flashlight_tethering.html > app allows tethering as a hidden feature to being a flashlight tool.

http://www.appleinsider.com/articles/10/06/02/flurry_modifies_data_collection_after_being_called_out_by_steve_jobs.html > Apple themselves being surprised that Flurry was collecting info on prototype versions of iOS...

There might be more - but in both these situations here are applications doing something that Apple didn't know they were doing and they were screened applications.

Invalid example

[name_already_taken]

The example you're talking about:

1. Only affects iDevices that were jailbroken - Once you do that, how can you blame Apple for anything that happens? (hint: you can't)
2. Only affects iDevices that were jailbroken and had sshd installed and the default ssh password left unchanged! (hint: don't install ssh unless you're also smart enough to change the freaking default password!)

So, really what you're saying is that if I modify a device that I've bought, and my modification causes a security vulnerability that someone else can exploit, then the original manufacturer of the device is somehow to blame?

That's just stupid.

Maybe Apple's policies are not rooted in evil?

[kimvette]

In light of this, perhaps Apple's app store policies are not quite as evil as they appear? I like open systems, and I like open source, but if it is a choice between a free-for-all where the managers of the trusted repository won't examine submitted apps vs. Apple's where one can be reasonably sure that every app is going to be safe, the iPhone looks like a safer bet for folks who install lots of apps.

Re:hahahaahaa

[macs4all]

before iOS gets to cocky. Can we remind people of http://apple.slashdot.org/story/09/11/08/1411259/First-iPhone-Worm-Discovered-Rickrolls-Jailbroken-Phones

Although it was only for jailbroken phones, and it wasnt malicious code, apple still got it first.

Ok, that's one. And exploiting a LONG-PATCHED vulnerability.

Now, find 20 more iOS examples, and we'll talk.

BTW, that's all that have been FOUND on the Android Marketplace; not HARDLY how many are likely to have actually been PUBLISHED there. And then there's all the OTHER sites selling Android malw... er, Apps...

I agree that with freedom comes responsibility; but this proves without question that it has NOTHING to do with WHERE an Android user actually DOWNLOADS an app from; but rather, Android's fundamentally broken marketing model: That users are smart enough to manage their own security in the face of ever-more-clever publishers of malicious applications; and that simply asking a user to review and decide on what constitutes "reasonable" permissions ONLY ONCE, DURING INSTALL TIME, is in ANY way sufficient for the AVERAGE (non-slashdot-reading) owner of an Android device.

BTW, I would LOVE to know how many bona fide "geeks" got bitten by one or more of these apps. I would bet real money that the number is not zero. Now what?

I'm really not trying to incite flames; but Google, and Android fans, HAVE to admit at this point that there is mounting evidence that the Wild West approach to App availability in the Mobile market simply doesn't work for MOST humans, period.

And once that one, now plainly dubious, "advantage" is gone with Android over iOS, then what, besides yet another race to the bottom level of quality and price, does the platform have to offer for MOST humans?

Remember, Android did NOT get popular because of the ability to download anything from anywhere (requiring the user to JAILBREAK their ANDROID device in most cases!); but primarily because people WANTED an IPHONE, but either a) Hated Apple on "religious" grounds; b) Were locked into a Carrier by contract or coverage area; or, c) Couldn't afford an IPHONE.