Slashdot Mirror
Google Finally Uses Remote Kill Switch On Malware
Hugh Pickens writes writes "The Google Mobile Team has announced that in addition to removing the 21 malicious applications from Android Market that were downloaded 50,000 times, suspending the associated developer accounts, and contacting law enforcement about the attacks, they are remotely removing the malicious applications from affected devices. 'We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices,' wrote the team on their blog. 'For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).' Google's actions come after numerous complaints in tech publications. "Does Google really want its Android Market to gain the reputation of being a cesspool of malware? 'Certainly not,' wrote Nicholas Deleon in TechCrunch. 'But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.'"
Good job again google. That's why you're on top.
Correction: The malware was downloaded 260,000 times, not 50,000 as initially reported. source
Because we know that Google has the guts to be controversial and do this, while Apple probably wouldn't.
If I was to s/Apple/Google/ people would be declaring how this is censorship and true evil and how Apple kills a kitten every time someone jailbreaks an iPhone.
These "remote removal" schemes seem to come with a "sole discretion" clause. Not, say, "after confirmation by the US Computer Emergency Response Team".
But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.
This might be true with respect to application developers but not hardware manufacturers such as Archos. To remain cost-competitive with iPod touch, Archos devices are missing various input and output components not needed in a portable media player, such as a cellular radio, compass, and GPS. However, because certain versions of Google's Android Compatibility Definition Document (CDD) list these components as requirements, Archos hasn't been able to include the Android Market application with the devices. To access the Market (and not the AppsLib that has a far smaller selection), one needs hacks that Google could cease-and-desist, just like it cease-and-desisted CyanogenMod for including Google applications.
how many iPhone apps leak the IMEI??
How the hell did you get to +5 insightful by implying that we can't tell the difference between preventing people from doing what they want with a device, and preventing developers from taking advantage of users?
Seriously, this is like implying that when we say "Good job" about putting spammers behind bars, you're surprised we weren't defending their freedom of speech. I know it's tempting to think in soundbites, but this isn't hard.
Don't thank God, thank a doctor!
Angy Birds, for example, collects a heck of a lot of personal information on the iPhone. Why? Because the user isn't warned about it. Their Android application has so far been much cleaner, mostly because Android asks the user to give the app permission to access certain data.
Link: http://www.observer.com/2010/media/angry-birds-and-other-must-have-apps-collect-more-personal-data-you-think
I was stupid enough myself to buy a Sony-Ericsson Android device only for them to basically drop it a month later, so presumably it will always be vulnerable to the holes used by this round of malware?
so there's agreement that some 'plug-pulling' is in order, & we need more than just #1, of almost every product?
a few things we probably can live without as the 'hard times' set in;
any billionaires at all, same with weapons, hired goons etc...
kings
fake money pyramid schemes (failing stock markup, usery style 'banking' etc...)
people that make that stuff controlling our communications & much more
pretending we're all gooey whilst arming & consorting with life0cidals to control populations/real estate/genetics/belief systems etc..
there's more.
btw; robbIE (/.), serge (goo$goo), say they're not involved in anything. we accuse them of censorship & pandering.
This is the difference between free and proprietary software: Apple's software is proprietary—you have no way to restrict Apple from using their power to "kill" (their term) applications on your computer. If Android is free software—software which respects your freedom to control your computer—it's up to you to make things better by hacking software or getting more knowledgeable people involved. Free software lets you choose to remove the code that grants Google app-killing power (or have someone remove app-killing code on your behalf) leaving you free to independently determine what programs to run no matter who calls those programs "malware". After all, if it's your computer you should determine what you want running on that computer. Given this understanding, I don't see the hypocrisy. I also don't see the problem in jailbreaking an iPhone other than doing business with Apple in the first place (one should not reward one's "jailer").
Digital Citizen
You don't have to follow googles rules exactly. But you do need to follow the law somewhat.
Win for everyone except the malware authors. Screw those guys.
Would they be known as the 'Moogle Team', or am I going to get sued by Square Enix for copyright theft by using that name?
Today on Slashdot, I'm going to pretend to be an outraged geek, disgusted by Google's outrageous and despicable behavior, and now finally seeing just how good and pure is Microsoft.
Boooo, Google! Hooray, Microsoft!
What would be nice, is even if the market place is left open, there would be an option to pay Google to certify your application. The idea being that people can then choose between "certified" apps or uncertified ones. This would help give users some sort of reassurance, but still leave the choice option open.
As to the kill switch, does Google print a list of applications to which it was applied?
Jumpstart the tartan drive.
Apple has a walled garden.
These applications had root-level access to all phones that were not patched with the latest version of Android (which given the state of Android updates left a couple hundred Nexus One/S owners safe while everyone else was left in the cold).
What's to stop malware with root-level permissions from disabling the kill switch next time?
Google needs to get the Android update situation under control. It's an absolute mess right now.
One of the things I noticed was "and contacting law enforcement about the attacks". I think that could be a pretty good standard to follow for using a remote-deactivation capability, to prevent it from being abused. "If it's serious enough to use a kill switch, it's serious enough that someone will be filing a lawsuit, and we're sure enough of it that we're reporting it to police (under threat of perjury)."
This is probably the best compromise. Obviously, some people would prefer no kill switch at all, while others would like the kill switch to be used on practically anything they don't like. If "serious enough and sure enough to sue" is the standard being used, it won't affect free speech (since, if you would be sued over it already, we've already lost that battle), and it makes accidents much less likely. Now, requiring that lawsuit to be won would make it even safer, but you run into the problem of it continuing to do damage for the years it takes to finally settle the suit.
Overall, I would like to see that standard officially written and adopted, even if it isn't made legally binding. It would make me feel a lot better about the existence of a kill switch, knowing that it will only be used in truly serious cases.
If smartphones were only owned/used by tech savvy people like most of us commenting/reading here, then their hands off approach to the Android Marketplace wouldn't be such a big deal, but thats not the case. Google and the carriers are marketing Android as an OS not just for the nerds but for everyone, because of that I think Google bears responsibility for what happened. Their hands off policy in the Android Marketplace pu users at significant risk for this malware in the first place, and does nothing to prevent it from happening again. Openness has its advantages, but those advantages are primarily useful to a select few. MOST users want a smartphone that is easy to use and lets them do things like browse the internet, check e-mail, consume media and play some games. MOST users are not tech savvy, and therefore MOST users aren't even going to know what to look for to try and avoid malware like this. Whats worse is that MOST users think Google is a trustworthy company so they will assume that the official Android Marketplace that ships on their phones and is provided by Google is a safe place to obtain apps. As we have found out recently, that is far from the truth. Google's free-for-all marketplace approach is harmful to average users. I'm not saying that the answer is to lock down Android to he same extent that Apple and Microsoft have done, but the totally open Android Marketplace should be an alternative, not the primary source. As the provider of the experience Google needs to set up a trusted marketplace where they put more scrutiny and oversight into apps and make THAT the default experience for the user. From within that marketplace Google could offer access to the untamed wilds that currently exist today, but MOST users wouldn't need to venture into that space, and would therefore be at far less risk than they are now.
And the reason for Apple's 'Walled Garden' helps prevent malware for reaching the app store to begin with.
It stops all that nasty malware from the App Store! Hear hear!
Instead, they let it in through the front door via a glaring remote web based security hole in the core system.
http://mashable.com/2010/08/02/ios-4-jailbreakme/
Device manufacturers have to meet the minimum spec to have market access.
But if Google doesn't set a minimum spec that's realistic for a PDA, then Google is handing the PDA market to Apple with its iPod touch. Microsoft had already left the PDA platform market after discontinuing Windows Mobile Classic (formerly Pocket PC) in favor of Windows Phone 7.
Google:
Within minutes of becoming aware, we identified and removed the malicious applications.
But from the comments in the blog post, we can read that:
This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.
According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.
I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.
Bram Stolk http://stolk.org/tlctc/
only the devices with the malware are having code pushed. the dont need it, which is how you can clearly see that they are not patching their own code, only removing the malware. to prevent this from even occuring next time they might have to change their veting systems, and that might have a follow on affect on the code, but the security issue exists at a higher level.
Of course if it's in the terms-and-conditions of connecting to the provider, that's something different. But otherwise ... heck, if I want to doodle on my copy of 'The Brief history of time', that's my affair. Not the publishers, or Hawk's.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Welcome in the brave new world, where devices you bought don't belong to you anymore. Amazon remotely deletes bought books, Sony sues hackers that modifying their own PS3s, Microsoft threats to sue everyone who tries to use their Kinec with not approved means, and now Google remotely deletes applications and installs new ones.
Is that the future of computing?
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
Only the IMEI/IMSI!? You know only the things that uniquely identify YOUR phone among millions, and two pieces of information that are necessary required to clone a phone or SIM.
The attackers only got those, they weren't able to get anything important like facebook logins or anything...
As if we were all waiting on them to do this? You do understand a) this is the second time they've done this and b) all previous malware "threats" were theoretical attacks and demonstration apps -- not "in the wild" maliciously-intended exploits? The last time they did it was to remove an app created by a security researcher that could theoretically do all sorts of malicious things just to see if people would install it despite the warnings.
Where does "finally", figure into this -- except by way of yellow journalism?
Then why has Google required GPS even to be able to download applications that do not use the GPS, a compass even to be able to download applications that do not use a compass, telephony even to be able to download applications that do not use telephony, etc.? Can you recommend a product that A. runs Android, B. costs $200 to $300 like an iPod touch without a telephone service commitment, C. meets the min specs for access to the platform's largest app market, and D. is sold in the United States, which is my home country and Slashdot's? Unlocked phones tended to fail B last time I checked, Archos 43 fails C, and Samsung Galaxy Player failed D last time I checked.
If Archos want official access to the android market, they have to add in the camera, GPS etc like Samsung have done.
Is it possible to add such components and still come in close to the $249 price point?
And there is no PDA market. There's a phone market, and a market for PMP style multi media devices.
Then please allow me to rephrase: If Google doesn't set a minimum spec that's realistic for a PMP-that-runs-apps, then Google is handing the PMP-that-runs-apps market to Apple with its iPod touch.
http://www.binplay.com/2011/03/can-slashdotters-get-over-windows-geeks.html
Is there a list of apps that were removed?
I believe it was Douglas Adams who explained how careless talk costs lives.
A compromise is not necessary. At least not for situations like this one.
Consider something more like SSL's certificate revocation list. I know little about Android, but assuming it uses a software management system similar to Debian's dpkg, each software installation has a signature. For each repository (app store) the device uses, it would subscribe to an application revocation list. When an application is listed for removal the device could CHOOSE to remove the app OR NOT. I'm emphasizing choice, because the power to remove an application is transferred from the content provider to the device owner. The remote control stuff just bothers me, regardless of the controller's motives.
More thoughts. You could have more information in the ARL (application revocation list) including severity and a detailed message which explains the problem. This would allow the user to understand why the app is to be removed and to be made aware of what negative effects the malware may have imposed.
I imagine the reason for remote wipe is not so much to stop malware, but more likely for removing functionality against the user's will as Amazon has done with some of its e-books on the Kindle. I say this because a kill-switch implementation would surely be far more complex to implement than what I've proposed and I can't be the first to think of this simple solution to the potential malware problem.
Just think for one moment about our good friend, average joe phone user. He doesnt know much about computers, he just bought a phone where he can also play a game or two while on the bus, plus a whole load of good things he doesnt know about just yet.
For all the goodness of doing things the open way, that guy would benefit way more from having an approval process for apps. It would ensure that blatant attempts such as this dont get through, thus removing the problem befire it actually hits the user, not reacting to it after whatever damage is done. The question shouldnt be about whether such a process is needed, but who sets the criteria for approval. THAT would be a way to differentiate from all the Apple "badness". Skipping the entire process is basically asking users to trust all devs to play nice.
Finally !!! I have been looking forward to this. I agree healy, it was IMEI and IMSI numbers attackers would have gathered. Business Loans
Does anyone know how this would affect Android devices such as Archos tablets (specifically the 32 model)? I have the gapps4Archos hack and have account info on things like Gmail, Maps, etc.
Also, as someone noted above, did Google publish a list of the apps removed?
A) LOL, assuming that you are correct, you ignore the rest of the article: "it's harvesting—and delivering—much more. Your contacts, city, latitude and longitude, phone ID and username and password are all collected and sent to third parties."
So delete location: "Your contacts, city, phone ID and username and password are all collected and sent to third parties."
Damn, diversion tactics by focusing on just one aspect. Just like the company in question. NICE. Next time, pay attention to the advertisements and see if they're targeted to where you are (especially if you go to a new location / city without using GPS) I wonder if the GPS location icon shows if it's using wifi / wireless triangulation as it's instantaneous (it doesn't need to acquire a lock).
B) Did you notice that if you DO use the GPS for any reason, it's sent back home? Google maps? Sent to Google and the mothership. Facebook Places? Google + mothership. So even if APL has *NOTHING* to do with the app, you're still sending it. It's awesome since: 1) You agreed to it. I challenge you to find where you did. 2) Try finding the opt-out without searching for articles that mention this (as you wouldn't know about this if I didn't tell you / stumble into the articles that say so)