Slashdot Mirror
'Fee-Deduction' Malware On Android Spotted In the Wild
wiredmikey writes "New malware has been discovered embedded in more than 20 Android applications circulating via various forums on the Internet which auto-dials phone numbers to incur high user fees. Dubbed BaseBridge, the malware can be embedded in legitimate applications, and during the application's installation, the malware prompts the user to upgrade. If the user chooses to upgrade, the malware is installed on the Android device under the name 'com.android.battery'. Then, another prompt would pop up to ask the user to restart the app to run it, and the malware is formally activated upon restart. Once activated, the malware can activate three malicious services — AdSmsService, BridgeProvider and PhoneService, to communicate with a control server, from which it will download a configuration file to read related information and dial calls or send out SMS messages, incurring fees for users."
Android is secured by default by disallowing the use of Unknown Sources. If you attempt to enable Unknown Sources for applications it will warn you about risking security. In addition you must know what you're doing to install the Unknown Source APK by either: using 'adb install', or downloading the APK to your SD card and use a file manager application to install it. So yes, Android is just as secure as iOS by default.
A user with root explicitly installing a program IS NOT A HOLE.
Good-bye
I am not sure 100% that this is the answer but I think it is high time that we use digital signatures to verify the authenticity of the code. In the open source community this is done all of the time with utilities like GNUPG. Just simply use the author's public key to verify the authenticity of the code. If there is a discrepancy, then there should be a provision to discard the downloaded app. That should, at least, put a severe curb on wrapping malware in legitimate applications.