Slashdot Mirror
More Malware-Infected Apps Found In Android Market
Trailrunner7 writes "For the third time in the last few months, Google has had to remove a slew of malware-infected apps from the Android Market and suspend some publishers. Ten Android apps in the Official Android Market are known to be infected, but many more could be victims of the Plankton Trojan. Researcher Xuxian Jiang claims that early variants of the Trojan have evaded detection for as long as two months."
you post a list of the infected applications in the freakin summary, so when TFA gets slashdotted, we know what the hell they were?
I'm just saying...
Sooner or later Google will need to do some sort of Quality Control on their store, or they'll just keep making the Marketplace look even less trustworthy and push people to the Amazon store.
...but there's something to be said for iOS being a "closed" platform with a (mostly) strict approval process. There's a lot of controversy about apps getting blocked from the iTunes App Store, but so far there haven't been any significant outbreaks of malware/trojans like the Android platform has had. Caveat: I actively develop for both platforms, so I have no "stake" in either side. Just making a point about the open vs. closed issue in related to PII leakage risks. Let the flaming begin!
Did you send this from an Android phone? It appears that a trojan is stealing some of the words out of your sentences and sending them to a server somewhere.
Why do you not link to the original article?!
TFA says that this malware leaks a list of granted permissions and prompts the user to install a .jar in his/her device. If the user does install it, the device becomes a zombie.
What would the course of action be if your Android phone is infected? Keep in mind that smartphones are kind of the ideal botnet zombie for a DDoS attack since they are always on and, presumably, have access to the network.
I think it's time for a good Android antivirus/malware/spyware/thingware or for a tighter app publication process from Google.
Democracy: Crowdsourcing a country near you
You wouldn't install Schkype from Mr Hong on your PC and you should not do that on the phone either!
turns up Sophos' analysis of this "Plankton" malware.
The sample of the EULA associated with the malware app (yes, malware EULAs) lists "Angry Bird Cheater" by name, so there's one of the candidates. Also, quoting the article:
So, "Choopcheec" seems to be a common codeword for the apps. Whatever that is.
Welcome to the Panopticon. Used to be a prison, now it's your home.
In case you're wondering, that's "Author too stupid;didn't read"
When I saw that the author apparently didn't know the difference between 'affect' and 'effect' I gave up.
IMNSHO, If you can't get that right, you don't deserve to be read.
No, no, you're not thinking; you're just being logical. --Niels Bohr
This is valid grammar 2.0
if you really need a phone "smart" enough to catch malware.
they do still make phones that are just phones, ya know.. those fancy and expensive i-this and e-thats may look cool, but when your phone is working when everybody elses' is infected with something is way cooler.
Your comment is indicative of the kind of arrogance that makes people hate so many technically proficient people. Do you even realize how arrogant you are to call people "morons" because they don't happen to have the kind of technical understanding and knowledge that we have? I'm sorry, but it's YOUR ARROGANCE that marks you as the real moron. People have different skills and knowledge. Yours (and mine) happens to be in a technical field, among others, presumably. But you have areas where you don't know anything, too. Everybody does. Just because people don't value YOUR subject area above all others doesn't mean they're morons who are "dumb users." Just as a person who doesn't want to be an auto mechanic isn't a moron when he simply wants his car to work without him futzing with it. You really need to climb down from the high horse and realize that people aren't necessarily morons just because they don't know everything about IT that we know.
How will google solve this problem? Are they going to start evaluating and testing all apps before users can buy it? If the android app market is going to thrive in the long term, the issue has to be addressed. Google has to do a better job regardless of what other platforms do or don't do.
Ah, that's what the story is really about. I'm surprised it took them so many paragraphs to get to their real agenda.
localman57 has the solution. And who's to say that Google has to be the one doing the code reviewing? Why couldn't a group of Android developers get together and set up a reviewing panel that will certify apps as threat-free? Before I download an app, I can see if the reviewing panel lists it or not and have that one extra data point with which to make my decision. If the panel's work is done in a transparent manner, people would trust it and they would have a measure of safety without having to be walled inside.
You are welcome on my lawn.
Why couldn't a group of Android developers get together and set up a reviewing panel that will certify apps as threat-free? Before I download an app, I can see if the reviewing panel lists it or not and have that one extra data point with which to make my decision. If the panel's work is done in a transparent manner, people would trust it and they would have a measure of safety without having to be walled inside.
The only people that would protect are the people who don't need protection.
You are trying to solve the problem of how to make life easier for YOU, not the average user who would have no clue the panel existed and would not care if they did.
Any kind of "seal of approval" faces the same issue, that most people would not care and continue to run the other stuff anyway.
A better approach is Amazons, to make a market of wholly vetted apps where probably Amazon does more verification of who a publisher is. Then non-technical users can stick to that market.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I have a T-mobile MyTouch, and I can't access the page linked in the article, :)
twice it's just crashed my browser and taken me to the main screen.
It's the only link that has ever done it, me thinks it survival mode for
some application
The complaint is that its the only store you are allowed to use.
Well then there are no complaints to be had because the technical people that actually want alternate stores, can jailbreak and use Cydia.
Android people don't like to acknowledge this is possible because as you say that's the only argument they have.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
0) Do some research on your apps before installing
1) Stick to open source apps whenever possible
2) don't just click through like whack-a-mole when installing... read the perms!
Take the same precautions on your Android phone.
Join the Slashcott! Feb 10 thru Feb 17!
The Android Market in general is pretty broken because of the lack of even a rudimentary review process. The other day I was looking at the new releases in the Sports Games category and there were about 5 or 6 pirated ebooks of Harry Potter, the Twilight Series and several others. Needles to say, this is not only illegal, it's in the wrong category. This has been a problem in the market since its inception and Google still has yet to do anything about it. If they are unwilling to have someone at least look over the titles and categories that an app is placed in before allowing it on the market, in order to cut back on massive copyright and trademark violations and make browsing the store by category possible, why do we think they'll take any preemptive strike against malware? Google doesn't even give Android developers a convenient way to contact them. It seems to me that they wanted the Android Market to be a set it and forget it kinda thing. Will the negatively publicity form the malware for them to change that stance? I doubt it.
Understand this: Allowing untrusted or unsigned code to be sideloaded and executed
is the exact same thing as gaining physical access
is the exact same thing as gaining root
is the exact same thing as being hacked
is the exact same thing as being profitable to someone malicious
Did we learn nothing from the desktop era at all? Do you understand that allowing "a separate store" on a device BY DEFINITION means allowing untrusted code a runtime, which thoroughly guarantees that it can eventually break through to a higher privilege level and do whatever it wants on the entire device?
Even having a 100%-signed and verified environment like iOS doesn't protect you completely, since malicious input can still sail in over HTTP, kick Safari's teeth in, and start working its way down the stack. But while Apple gets to focus on that, the rest of the industry is... god, I don't even know the metaphor... Google is inviting sketchy friends to come party with each user and giving them VIP passes.
We all know that once you're infected, the only way to be sure that you're not rootkitted is to reinstall everything from scratch, right? Right? So what's the process to do that on a phone that might not even have a host PC to install from?
The security stakes are much higher on a smartphone, and yet this industry won't stop screaming bloody murder until shoddy VLC builds can be one-click installed from Hungarian FTP servers. Jesus. Sometimes I think we deserve this future we're building.
In case you're wondering, that's "Original poster is being an inconsiderate prick and should totally be ignored"
> People make typos. You do too. I'll bet you a 100 dollars, euro's or whatever currency you use on that. And with spelling correction these days valid words in a wrong context are even easier to miss...
Also, as an advance warning for possible future rants (and this may come as a shock. I suggest you find a nice and comfortable seat first before reading on):
[SPOILER]Not everyone on the internet is a native English speaker. The 'INTER-' part might be a subtle hint for that.[/SPOILER]
Google announced today that to avoid lawsuits from apple over the app store name and to better describe the products offered, they are changing the name to the "malware market". They were immediately sued by Microsoft who claim to have copyrighted malware infected operating systems.
Some drink at the fountain of knowledge. Others just gargle.
What we need is a firewall that keeps track of all of the communication by application and uploads stats into a server which aggregates/processes the data and looks for unusual activity.
Thousands of engineers labored for years to build the hardware and low-level software so that you can prance about writing your Ruby code or whatever the fuck you do that makes you think that you are some sort of tech genius. Those engineers put a lot of effort into making sure that you didn't have to be a semiconductor physics expert in order to use computers and that you weren't going to accidentally set the thing on fire with the wrong set of keystrokes. Compared to those engineers and relative to their turf, you are a moron.
There is value in abstraction. There are a hundred things that you rely on everyday that required some skilled profession to baby-proof and they were happy to do it, because that's what engineers do--and they don't look down their noses at those users as though they are some sort of inferior lifeform.
1. There are alternatives, you can buy an Android phone.
2. If IOS devices made it easy to use another store, then non-technical users would be at more risk. They would get an email that said, "Hey try out this fun app" which would take them to the non-curated store, they would blindly click-through all warnings from the OS and voila, you've got a mobile experience every bit as toxic and unusable as the Windows PC experience--and you've just destroyed Apple's value proposition and their $100B market cap.
What it really boils down to is that most of Apple's critics (a) don't care at all about non-technical users and (b) really want Apple to fail anyway so are happy to argue for Apple to adopt flexibility that would lead to financial disaster for them. Apple fundamentally disagrees on both points so you aren't going to sway them.
But you have other options, see #1.
Apple is actively hostile against jailbreaking (bricked device, anyone?)
Apple has NEVER bricked a jailbroken device.
WIth the VERY FIRST iPhone, a few iPhones had issues with unlock hacks (which is not the same as jail breaking) interacting poorly with firmware updates, because they had re-written parts of the firmware...
What GP wants is the ability to choose, and be left alone if he does jailbreak his iOS device.
Which is what you get from jailbreaking.
brave the Wild West without interference from King Jobs
Unlike you 90% of the populace does not wish to be gunned down in the streets, which is the world you would have them live in against their will - because you are against the CHOICE by users to live in that walled area if they they find it safer and more pleasant.
bootloader lockdowns by individual manufacturers notwithstanding
Such hypocrisy... astounding.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Remember that the first updates after the first jailbreaks would brick peoples' iPhones.
That was never the case, it was carrier unlocks only AND you could reset the phone (not actually bricked).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So I should download the Krill anti-malware suite?
Should I be watching out for Baleen?
PEBMAC.
Does Jailbreaking void your warranty?
No. Is it illegal? No. Does it cause bad breath? No.
You Apple haters are as thick as the Great Wall Of China - looking down it the long way.
Oh? darn.
Darn is right, your only argument shattered like a cheap shot glass on dollar whisky night.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Are you a lawyer? How many license agreements have OK'd ? Car loan, Utilities, Mortgage, Employee agreement, Bank agreement, EULAs? How many lawyers have you called and had you explain each agreement? Oh and before calling the lawyer each time I'm sure you must have done due diligence to determine which lawyer was even capable of giving you advice. No? Then you deserve to get ripped off! Do you know the nutritional content of everything you put in your mouth? What if the label is incorrect or insufficient? Do you call a nutritionist before every bite? No? Well then you deserve to get sick ! Anyone who is an expert in his or her field can analyse your life and tell you how retarded you are. Though its obvious to most people that you're full of shit, it might be beneficial to you if you realize it too.
People should buy iPhones to protect themselves from themselves. Android is available if you don't want or need that protection.
The only thing we disagree about is that I think you are a dick for calling nontechnical iPhone users morons.