Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Finally Uses Remote Kill Switch On Malware

Posted by timothy on from the you're-going-to-feel-a-little-zapping dept.

Hugh Pickens writes writes "The Google Mobile Team has announced that in addition to removing the 21 malicious applications from Android Market that were downloaded 50,000 times, suspending the associated developer accounts, and contacting law enforcement about the attacks, they are remotely removing the malicious applications from affected devices. 'We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices,' wrote the team on their blog. 'For affected devices, we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI, unique codes which are used to identify mobile devices, and the version of Android running on your device).' Google's actions come after numerous complaints in tech publications. "Does Google really want its Android Market to gain the reputation of being a cesspool of malware? 'Certainly not,' wrote Nicholas Deleon in TechCrunch. 'But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.'"

47 of 177 comments (clear)

  1. GJ GOOGLE by Soilworker · · Score: 3, Informative

    Good job again google. That's why you're on top.

    1. Re:GJ GOOGLE by whitehaint · · Score: 3, Insightful

      Well considering that Google fixed something a 3rd party created and that Microsoft is the creator of the problem in it's systems I fail to see the correlation.

    2. Re:GJ GOOGLE by tomhudson · · Score: 5, Funny

      The next time Microsoft releases a patch for a security vulnerability I would like to see this sentiment repeated.

      Okay, next patch Tuesday, someone please make Haven happy and post a "Good job again google. That's why you're on top." post.

    3. Re:GJ GOOGLE by artor3 · · Score: 2

      "We are pushing an Android Market security update to all affected devices that undoes the exploits to prevent the attacker(s) from accessing any more information from affected devices" sounds an awful lot like Google is patching their own code.

    4. Re:GJ GOOGLE by Rosyna · · Score: 3, Interesting

      Good job again google. That's why you're on top.

      So it's a good thing that Google can, has, and will continue to remote remove (remote kill) applications downloaded onto phones.

      Apple has removed apps from their store, but never from the phone itself once the app has been downloaded.

    5. Re:GJ GOOGLE by Flytrap · · Score: 3, Interesting

      FTA: "The applications took advantage of known vulnerabilities which don’t affect Android versions 2.2.2 or higher..."

      So if a malware writer takes advantage of a vulnerability in an old or unpatched instance of Windows its Microsoft's fault... but if they take advantage of an exploit in Android its not Google's fault.

      This logic does not compute.

    6. Re:GJ GOOGLE by Deathlizard · · Score: 4, Interesting

      Except that it's unlikely that this will totally clean the problem.

      This Exploit Rooted phones. That means Google lost control of the phone the second the user installed and run the malicious app. They could remove all of the malicious apps all day long but all that does is remove the Trojan Horse that dropped the rootkit.

      As for the removal tool Google is planning to send. If the virus programmers have any sort of brain the first thing they're going to do is block the removal tool from removing the rootkit by sending a patch to the rootkit. It wouldn't surprise me if the rootkit doesn't phone home soon and download something to either spoof that the rootkit was removed or block the rootkit remover altogether and disable apps (either from Google or a third party) designed to remove the exploit. Google giving them a heads up through the blog post that they got 72 hours to code such a patch just made the virus writers job even easier.

      Now I'm not saying that Google is handling this totally incorrectly. If I was Google, I would have taken many of the steps that they are currently doing, except I would not publicly lay out the plan until after it was executed. I know it would give Google Bad PR by sending apps without user knowledge, but it would have minimized a counterattack time frame from the virus writers and would have been the safer option overall. I just hope that Google has another strategy if this one fails, such as carrier involvement to recover and possibly disable remaining infected phones until it can be cleaned by a carrier tech.

      --
      In Soviet Russia, Trojan exploits YOU!
    7. Re:GJ GOOGLE by rainmouse · · Score: 4, Insightful

      Well considering that Google fixed something a 3rd party created and that Microsoft is the creator of the problem in it's systems I fail to see the correlation.

      To be fair if Microsoft started remotely removing software from your computer that they deemed a threat there would be a considerable backlash.

  2. 260,000 infected Android devices by Anonymous Coward · · Score: 5, Informative

    Correction: The malware was downloaded 260,000 times, not 50,000 as initially reported. source

    1. Re:260,000 infected Android devices by HLJ76 · · Score: 4, Informative

      Also the summary notes only device information was potentially stolen, but fails to note that the malware was able to download more code that could do just about anything with the device. Can the market patch remove that code from the device, or will it only remove the downloaded apps leaving all post-downloaded code there to do whatever it wants to do?

  3. Slashdot hypocrites.. by Anonymous Coward · · Score: 4, Insightful

    If I was to s/Apple/Google/ people would be declaring how this is censorship and true evil and how Apple kills a kitten every time someone jailbreaks an iPhone.

    1. Re:Slashdot hypocrites.. by phantomfive · · Score: 4, Insightful

      Maybe, or maybe Apple not letting me put things I want on my phone IS annoying, but what Google is doing here is not. There really is a difference between purging malware (which no one wants) and purging stuff people do want. Really.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Slashdot hypocrites.. by rjstanford · · Score: 4, Insightful

      Not quite. You did choose to install it. It just does something that Google (or Microsoft or whoever) feels that you probably don't want it to do. Or at least, it's doing something that they don't want it to do. So they delete it.

      All good, right? Well, as long as you trust their opinion of what software should do more than your own. Which is a point always brought up by Android fans to stomp on the Apple store. Except when google does it because... um... they said they wouldn't? And that's...better?

      --
      You're special forces then? That's great! I just love your olympics!
    3. Re:Slashdot hypocrites.. by shentino · · Score: 2

      First of all, it would be Apple doing the actual killing. Apple is not a force of nature that is immune to moral codes, or the law for that matter.

      Second, participation in the android app store is optional.

    4. Re:Slashdot hypocrites.. by rjstanford · · Score: 2

      It's a bit more clear-cut than that. The applications are advertised as doing something. They also happen to exploit a vulnerability in the OS, in a way that can't possibly have to do with advertised functionality. There is very little chance that users installed the software for these "extra features," especially because they have just about no way of even knowing they exist.

      So why not patch the vulnerability instead of removing the software that's currently using it?

      Look, I'm not trying to stand up for malware, just pointing out that in each case its the OS/appstore vendor making a determination that you, the user, don't actually want the application that you, the user, installed. The difference is that one vendor has been very up-front about telling the userbase that they're going to do this, and the other one has had some of its fanatical userbase choose it because they'd never do such a thing.

      And sure, this example is an easy one to choose - of course they're doing the "right thing." What if the next one is less clear-cut, and less well conveyed? The precedent has been set, after all.

      --
      You're special forces then? That's great! I just love your olympics!
  4. Re:Way to go! by Anonymous Coward · · Score: 5, Insightful

    And the reason for Apple's 'Walled Garden' helps prevent malware for reaching the app store to begin with.

  5. More overreaching "sole discretion" terms. by Animats · · Score: 2

    These "remote removal" schemes seem to come with a "sole discretion" clause. Not, say, "after confirmation by the US Computer Emergency Response Team".

    1. Re:More overreaching "sole discretion" terms. by fermion · · Score: 2
      I think it would be much better to have a blacklist of known infected apps. The phone can check against this lis, and, just like other malware detectors, note that it is dangerous, and why, and then prompt the user for removal.

      Of course no one, not even the OHC, believes the user owns the mobile device and as such should have complete control over what happens on it. So, as expected, Google does as it pleases when it pleases, even when here is a genter and equally effective alternative.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  6. Openness and Archos by tepples · · Score: 5, Informative
    Quoth Nicholas Deleon in TechCrunch:

    But then part of the allure of the Android Market is that it's open; you don't have to play by Google's rules, per se, to get on there like you do with Apple's App Store.

    This might be true with respect to application developers but not hardware manufacturers such as Archos. To remain cost-competitive with iPod touch, Archos devices are missing various input and output components not needed in a portable media player, such as a cellular radio, compass, and GPS. However, because certain versions of Google's Android Compatibility Definition Document (CDD) list these components as requirements, Archos hasn't been able to include the Android Market application with the devices. To access the Market (and not the AppsLib that has a far smaller selection), one needs hacks that Google could cease-and-desist, just like it cease-and-desisted CyanogenMod for including Google applications.

    1. Re:Openness and Archos by teh31337one · · Score: 3, Informative

      Oh come on. The google apps are their own proprietary apps, and manufacturers pay to have them - that's why CM couldn't include them. Market place is controlled by Google, and they can remove malicious applications if needed. Device manufacturers have to meet the minimum spec to have market access.

    2. Re:Openness and Archos by jscotta44 · · Score: 2

      And your point is? I know what the minimum specs are. However, isn't point of open systems that I can put up whatever I want –including hardware and software? Who is Google to be telling anyone that there system on the open market doesn't meet minimum specs? Who died and made them Apple to make such decisions?

    3. Re:Openness and Archos by tepples · · Score: 2

      Use a different marketplace, download .apk's directly from the net

      So how do I convince my bank to offer its check deposit application in AppsLib or offer bare .apk's so that I can deposit checks with my Archos 43's camera?

    4. Re:Openness and Archos by Trufagus · · Score: 2

      This connection between 'openness' and Google messing up and letting a virus get through is a bunch of crap.

      You can have an App Store that is 'open' but still blocks all virus and malware, and that is what Google is attempting to do - they just blew it this time.

      Open can have many meaning, but in this case it includes stuff like allowing free competition - not blocking apps just because they go against the interests of the platform's sponsor or their buddies.

      It does NOT mean that every single app posted to the store gets published. It never has. I'm a bit baffled that so many in the media are pretending that this is what 'open' means but can only guess that they are desperately looking for a way to defend their 'closed' app store.

    5. Re:Openness and Archos by tlhIngan · · Score: 2

      Use a different marketplace, download .apk's directly from the net

      Have you ever tried it? Very, very, very few apk's are actually available outside the marketplace. And alternative marketplaces are just as dismal. I've tried GetJar, SlideMe and APKtor. You'd be hard-pressed to find any that have more than around 10,000 apps. Especially places like GetJar and SlideMe.

      Face it, the only way to get apps outside the Marketplace is ... pirating via BitTorrent. Most devs only stick with the official Google Marketplace because it's easy.

      And this whole "alternative marketplace" thing doesn't work when you don't know if the one you're using is legit. Ever hear of the Android botnets being spread in China? Mostly because of alternative marketplaces? "Stick to the official marketplace" only works when you can get it. I'm sure in China there's probably many phones running AOSP.

      So, either Google Marketplace, piracy, or questionable marketplaces.

      And no, you can't download APK's from Google Marketplace yourself. You have to use your phone, then use a file manager to copy it to your PC. And root if you want to copy "protected" apps.

  7. Re:Way to go! by Haven · · Score: 2

    What does this even mean? Apple wouldn't use their total control over their devices to remove malware from them? Of course they would, and they should!

  8. Re:Way to go! by Anonymous Coward · · Score: 4, Insightful

    And the reason for Apple's 'Walled Garden' helps prevent malware for reaching the app store to begin with.

    it didnt stop that flashlight app which doubled as a tethering tool - explicitly against apples rules at the time from getting approved, why would it stop malware?

  9. Really? by SanityInAnarchy · · Score: 4, Insightful

    How the hell did you get to +5 insightful by implying that we can't tell the difference between preventing people from doing what they want with a device, and preventing developers from taking advantage of users?

    Seriously, this is like implying that when we say "Good job" about putting spammers behind bars, you're surprised we weren't defending their freedom of speech. I know it's tempting to think in soundbites, but this isn't hard.

    --
    Don't thank God, thank a doctor!
  10. Android is safer than iPhone.. by WarwickRyan · · Score: 5, Insightful

    Angy Birds, for example, collects a heck of a lot of personal information on the iPhone. Why? Because the user isn't warned about it. Their Android application has so far been much cleaner, mostly because Android asks the user to give the app permission to access certain data.

    Link: http://www.observer.com/2010/media/angry-birds-and-other-must-have-apps-collect-more-personal-data-you-think

    1. Re:Android is safer than iPhone.. by Ender_Wiggin · · Score: 5, Informative

      Actually Apple DOES warn you, via the GPS icon in the top menu bar. In Settings, you can disable Location services for any specific app and see if it's accessed your location in the last 24 hours.

    2. Re:Android is safer than iPhone.. by jscotta44 · · Score: 5, Funny

      Please stop using facts to correct Adroid fans. It really confuses them.

  11. Android security by Anonymous Coward · · Score: 4, Interesting
    Is this the way Android security will be handled (after-the-fact cleanup via the marketplace)? It just seems to me that since the manufacturers don't seem to be too keen on supporting their handsets for longer than it takes them to get the next model out the door, and since the service providers like to sit on updates or block them altogether the actual vulnerabilities are unlikely to be fixed.

    I was stupid enough myself to buy a Sony-Ericsson Android device only for them to basically drop it a month later, so presumably it will always be vulnerable to the holes used by this round of malware?

  12. Re:Way to go! by Anonymous Coward · · Score: 2, Insightful

    The reason for Apple's 'Walled Garden' has little to do with security, and Everything to do with control.

  13. Re:Way to go! by Bert64 · · Score: 2

    And they didn't catch the tethering app, what makes you think they would catch malware?
    Malware could simply do something mundane until after Apple have done their tests, and then activate its malicious functions later down the line when lots of users have it installed.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  14. Certification by Midnight+Thunder · · Score: 2

    What would be nice, is even if the market place is left open, there would be an option to pay Google to certify your application. The idea being that people can then choose between "certified" apps or uncertified ones. This would help give users some sort of reassurance, but still leave the choice option open.

    As to the kill switch, does Google print a list of applications to which it was applied?

    --
    Jumpstart the tartan drive.
  15. Seems like a good standard by gman003 · · Score: 4, Insightful

    One of the things I noticed was "and contacting law enforcement about the attacks". I think that could be a pretty good standard to follow for using a remote-deactivation capability, to prevent it from being abused. "If it's serious enough to use a kill switch, it's serious enough that someone will be filing a lawsuit, and we're sure enough of it that we're reporting it to police (under threat of perjury)."

    This is probably the best compromise. Obviously, some people would prefer no kill switch at all, while others would like the kill switch to be used on practically anything they don't like. If "serious enough and sure enough to sue" is the standard being used, it won't affect free speech (since, if you would be sued over it already, we've already lost that battle), and it makes accidents much less likely. Now, requiring that lawsuit to be won would make it even safer, but you run into the problem of it continuing to do damage for the years it takes to finally settle the suit.

    Overall, I would like to see that standard officially written and adopted, even if it isn't made legally binding. It would make me feel a lot better about the existence of a kill switch, knowing that it will only be used in truly serious cases.

  16. Re:Way to go! by DavidinAla · · Score: 4, Insightful

    The fact that Apple's approval process isn't PERFECT at stopping everything doesn't mean that Google's policy of stopping NOTHING until a quarter of a million people have already downloaded the malware is a good idea.

  17. Google's responsibility by krizoitz · · Score: 3

    If smartphones were only owned/used by tech savvy people like most of us commenting/reading here, then their hands off approach to the Android Marketplace wouldn't be such a big deal, but thats not the case. Google and the carriers are marketing Android as an OS not just for the nerds but for everyone, because of that I think Google bears responsibility for what happened. Their hands off policy in the Android Marketplace pu users at significant risk for this malware in the first place, and does nothing to prevent it from happening again. Openness has its advantages, but those advantages are primarily useful to a select few. MOST users want a smartphone that is easy to use and lets them do things like browse the internet, check e-mail, consume media and play some games. MOST users are not tech savvy, and therefore MOST users aren't even going to know what to look for to try and avoid malware like this. Whats worse is that MOST users think Google is a trustworthy company so they will assume that the official Android Marketplace that ships on their phones and is provided by Google is a safe place to obtain apps. As we have found out recently, that is far from the truth. Google's free-for-all marketplace approach is harmful to average users. I'm not saying that the answer is to lock down Android to he same extent that Apple and Microsoft have done, but the totally open Android Marketplace should be an alternative, not the primary source. As the provider of the experience Google needs to set up a trusted marketplace where they put more scrutiny and oversight into apps and make THAT the default experience for the user. From within that marketplace Google could offer access to the untamed wilds that currently exist today, but MOST users wouldn't need to venture into that space, and would therefore be at far less risk than they are now.

  18. within minutes? by Bram+Stolk · · Score: 5, Interesting

    Google:
    Within minutes of becoming aware, we identified and removed the malicious applications.

    But from the comments in the blog post, we can read that:
    This is where the problem is. You became aware because someone had a contact inside Google who alerted to right people.
    According to one of the developers of the hijacked applications, he had tried for almost a week to get in contact with someone through the normal channels to correct the situation.
    I am sorry if I sounds harsh, but Google are a master of data processing, and surely you should be able to pick up a distress call from a developer within hours instead of a week.

    --
    Bram Stolk http://stolk.org/tlctc/
    1. Re:within minutes? by Tacvek · · Score: 4, Insightful

      Google's biggest weakness is that they have virtually no support channels. They have a small number of email addresses/forms that can be used for that sort of thing, but the huge number of messages they get means those have huge backlogs. They have Groups for some topics, but my understanding is that many have nobody who is tasked with reading them, so messages only get read sporadically. (Like Dianne Hackborn is known to respond to messages on the Android Groups, but she is busy enough with Android development that she probably does not manage to read all or even most of he messages posted.)

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  19. Re:Way to go! by thetoadwarrior · · Score: 4, Interesting

    Well yes you're right. Control is needed to try and attempt to keep quality high both in content and coding and to help keep security high.

    Mobiles are different from desktops and I think resorting to virus scanning on mobiles would be awful. While Apple's approach is by no means perfect it is actually looking like the best solution. I just don't bother with the app market for my Android. There is a lot of shit in the market to sift through and while being concerned with how many apps ask for all sorts of permissions we're now finding out that actually a lot of bad stuff is getting through and not being found straight away.

    I do think my next phone will be an iPhone. The games are definitely better and until Google proves to at least be more proactive on filtering out the rubbish then I just can't trust the apps and what is the point of a smart phone without apps?

    If Google can tell me what the app needs access too then surely there is some way they could come up with a system that flags apps ask having questionable requirements and requiring someone at Google to personally review it before it makes it onto the market.

    When you want people to tie all their personal information and even payment methods (ie Google Checkout) to a device it needs to have some sort of security. It is not good enough to kill it after it's been downloaded a quater of a million times. Alternatively they can come up with some sort of mobile virus / malware scanner and risk complaints about battery life and performance.

  20. Did they ask first? by Kittenman · · Score: 2
    Just wondering ... if Google remotely trashed people's appns without checking, then what we have here is not ownership of the phone, but a licence-to-use. It's up to people to do what they want with the phones, surely... even if they want to download "malware" (purposefully in quotes).

    Of course if it's in the terms-and-conditions of connecting to the provider, that's something different. But otherwise ... heck, if I want to doodle on my copy of 'The Brief history of time', that's my affair. Not the publishers, or Hawk's.

    --
    "The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
  21. Re:Way to go! by CheerfulMacFanboy · · Score: 4, Insightful

    Because we know that Google has the guts to be controversial and do this, while Apple probably wouldn't.

    So Apple got attacked when people heard the iPhone had a "kill switch" for apps - and then Google gets cheered on for actually using theirs on Android many times over - and then Apple gets attacked for not using theirs once?

    --
    Fandroids hate facts.
  22. Re:Way to go! by omglolbah · · Score: 2

    1. Add time trigger to make the app only access bad stuff after a certain date or have it fetch a trigger from some server...
    2. Turn over binary to apple.
    3. Get verified.
    4. flip switch
    5. ???
    6. Profit?

  23. Re:Way to go! by CheerfulMacFanboy · · Score: 2

    And the reason for Apple's 'Walled Garden' helps prevent malware for reaching the app store to begin with.

    it didnt stop that flashlight app which doubled as a tethering tool - explicitly against apples rules at the time from getting approved, why would it stop malware?

    Of course the real question is: if it isn't the walled garden, what else stops malware on iOS? And how can Android use that?

    --
    Fandroids hate facts.
  24. *Only* Information by healyp · · Score: 3, Insightful
    FTFS: "we believe that the only information the attacker(s) were able to gather was device-specific (IMEI/IMSI..."

    Only the IMEI/IMSI!? You know only the things that uniquely identify YOUR phone among millions, and two pieces of information that are necessary required to clone a phone or SIM.

    The attackers only got those, they weren't able to get anything important like facebook logins or anything...

  25. The min specs might be cost prohibitive by tepples · · Score: 3, Interesting

    Then why has Google required GPS even to be able to download applications that do not use the GPS, a compass even to be able to download applications that do not use a compass, telephony even to be able to download applications that do not use telephony, etc.? Can you recommend a product that A. runs Android, B. costs $200 to $300 like an iPod touch without a telephone service commitment, C. meets the min specs for access to the platform's largest app market, and D. is sold in the United States, which is my home country and Slashdot's? Unlocked phones tended to fail B last time I checked, Archos 43 fails C, and Samsung Galaxy Player failed D last time I checked.

  26. Re:Is Android free software? If so, no hypocrisy. by Keen+Anthony · · Score: 3, Interesting

    I bought my 16GB iphone for about $189 at my Apple Store. I renewed my 2-yr contract with Verizon and got an additional discount which I assume was for customer loyalty. Hopefully, you have an option like that available to you. I initially bought a Droid X full price. I don't think the iPhone is that much more expensive than full retail price I paid for my Droid.

    The one thing I do love about Android phones is that I can write my own app and put it onto my phone. I need only checkmark a setting that lets me load non-market apps at my own risk. I don't have that ability with iPhone. I'm still waiting to get listed as an iPhone dev, but once that happens I believe it will mean I can live test my own homegrown apps on iPhone after (at least if my reading of Apple's terms is correct).

    I believe we're giving undue credit to Android for being open. Android itself is open and free. But from what I've seen on the various HTC and Motorola Androids I've bought in the last year, each vendor's specific Android is not that open. Is Moto's Blur not proprietary? What about HTC's Sense UI? I've been told countless times to stop supporting Motorola because Motorola locks down their phones, thus taking away from that openness that is Android. Is it all a lie? People are telling me to buy HTC because they play well with modders.

    I wasn't able to install all I wanted on my Droid. I was told I needed to root the phone. I had to wait until someone found a way to, and then risk following the steps. So, if at the end of the day, I'm still forced to root rather than jailbreak, how exactly am I realizing the difference between free and proprietary software? I haven't jailbroken my iPhone yet. I likely won't until I decide I absolutely need to have a bluetooth file transfer (something iPhone lacks), but until I do, I can at least enjoy an app market that is better for my needs.