Slashdot Mirror
More Malware-Infected Apps Found In Android Market
Trailrunner7 writes "For the third time in the last few months, Google has had to remove a slew of malware-infected apps from the Android Market and suspend some publishers. Ten Android apps in the Official Android Market are known to be infected, but many more could be victims of the Plankton Trojan. Researcher Xuxian Jiang claims that early variants of the Trojan have evaded detection for as long as two months."
you post a list of the infected applications in the freakin summary, so when TFA gets slashdotted, we know what the hell they were?
I'm just saying...
Sooner or later Google will need to do some sort of Quality Control on their store, or they'll just keep making the Marketplace look even less trustworthy and push people to the Amazon store.
...but there's something to be said for iOS being a "closed" platform with a (mostly) strict approval process. There's a lot of controversy about apps getting blocked from the iTunes App Store, but so far there haven't been any significant outbreaks of malware/trojans like the Android platform has had. Caveat: I actively develop for both platforms, so I have no "stake" in either side. Just making a point about the open vs. closed issue in related to PII leakage risks. Let the flaming begin!
Did you send this from an Android phone? It appears that a trojan is stealing some of the words out of your sentences and sending them to a server somewhere.
Why do you not link to the original article?!
TFA says that this malware leaks a list of granted permissions and prompts the user to install a .jar in his/her device. If the user does install it, the device becomes a zombie.
What would the course of action be if your Android phone is infected? Keep in mind that smartphones are kind of the ideal botnet zombie for a DDoS attack since they are always on and, presumably, have access to the network.
I think it's time for a good Android antivirus/malware/spyware/thingware or for a tighter app publication process from Google.
Democracy: Crowdsourcing a country near you
You wouldn't install Schkype from Mr Hong on your PC and you should not do that on the phone either!
turns up Sophos' analysis of this "Plankton" malware.
The sample of the EULA associated with the malware app (yes, malware EULAs) lists "Angry Bird Cheater" by name, so there's one of the candidates. Also, quoting the article:
So, "Choopcheec" seems to be a common codeword for the apps. Whatever that is.
Welcome to the Panopticon. Used to be a prison, now it's your home.
In case you're wondering, that's "Author too stupid;didn't read"
When I saw that the author apparently didn't know the difference between 'affect' and 'effect' I gave up.
IMNSHO, If you can't get that right, you don't deserve to be read.
No, no, you're not thinking; you're just being logical. --Niels Bohr
This is valid grammar 2.0
Your comment is indicative of the kind of arrogance that makes people hate so many technically proficient people. Do you even realize how arrogant you are to call people "morons" because they don't happen to have the kind of technical understanding and knowledge that we have? I'm sorry, but it's YOUR ARROGANCE that marks you as the real moron. People have different skills and knowledge. Yours (and mine) happens to be in a technical field, among others, presumably. But you have areas where you don't know anything, too. Everybody does. Just because people don't value YOUR subject area above all others doesn't mean they're morons who are "dumb users." Just as a person who doesn't want to be an auto mechanic isn't a moron when he simply wants his car to work without him futzing with it. You really need to climb down from the high horse and realize that people aren't necessarily morons just because they don't know everything about IT that we know.
Ah, that's what the story is really about. I'm surprised it took them so many paragraphs to get to their real agenda.
localman57 has the solution. And who's to say that Google has to be the one doing the code reviewing? Why couldn't a group of Android developers get together and set up a reviewing panel that will certify apps as threat-free? Before I download an app, I can see if the reviewing panel lists it or not and have that one extra data point with which to make my decision. If the panel's work is done in a transparent manner, people would trust it and they would have a measure of safety without having to be walled inside.
You are welcome on my lawn.
Why couldn't a group of Android developers get together and set up a reviewing panel that will certify apps as threat-free? Before I download an app, I can see if the reviewing panel lists it or not and have that one extra data point with which to make my decision. If the panel's work is done in a transparent manner, people would trust it and they would have a measure of safety without having to be walled inside.
The only people that would protect are the people who don't need protection.
You are trying to solve the problem of how to make life easier for YOU, not the average user who would have no clue the panel existed and would not care if they did.
Any kind of "seal of approval" faces the same issue, that most people would not care and continue to run the other stuff anyway.
A better approach is Amazons, to make a market of wholly vetted apps where probably Amazon does more verification of who a publisher is. Then non-technical users can stick to that market.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Well, you know, I don't especially need a phone. That's for talking to people, and what's the fun in that?
Now, getting into a Wikipedia edit war while driving down the road and eating a Sonic burger... That's fun!
Seriously, though. My HTC isn't a phone, it's a portable computer with telephony capability that I occasionally use.
In other words, you're talking about solving the wrong problem. You want phones that are immune to malware, and as you point out, they're still thick on the ground. I want an ultraportable computer that doesn't get hacked, trojaned, or otherwise attack me without provocation. That's a bit harder.
Welcome to the Panopticon. Used to be a prison, now it's your home.
The complaint is that its the only store you are allowed to use.
Well then there are no complaints to be had because the technical people that actually want alternate stores, can jailbreak and use Cydia.
Android people don't like to acknowledge this is possible because as you say that's the only argument they have.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
0) Do some research on your apps before installing
1) Stick to open source apps whenever possible
2) don't just click through like whack-a-mole when installing... read the perms!
Take the same precautions on your Android phone.
Join the Slashcott! Feb 10 thru Feb 17!
The Android Market in general is pretty broken because of the lack of even a rudimentary review process. The other day I was looking at the new releases in the Sports Games category and there were about 5 or 6 pirated ebooks of Harry Potter, the Twilight Series and several others. Needles to say, this is not only illegal, it's in the wrong category. This has been a problem in the market since its inception and Google still has yet to do anything about it. If they are unwilling to have someone at least look over the titles and categories that an app is placed in before allowing it on the market, in order to cut back on massive copyright and trademark violations and make browsing the store by category possible, why do we think they'll take any preemptive strike against malware? Google doesn't even give Android developers a convenient way to contact them. It seems to me that they wanted the Android Market to be a set it and forget it kinda thing. Will the negatively publicity form the malware for them to change that stance? I doubt it.
In case you're wondering, that's "Original poster is being an inconsiderate prick and should totally be ignored"
> People make typos. You do too. I'll bet you a 100 dollars, euro's or whatever currency you use on that. And with spelling correction these days valid words in a wrong context are even easier to miss...
Also, as an advance warning for possible future rants (and this may come as a shock. I suggest you find a nice and comfortable seat first before reading on):
[SPOILER]Not everyone on the internet is a native English speaker. The 'INTER-' part might be a subtle hint for that.[/SPOILER]
Mod parent up. Software people need to understand this: users cannot be asked to do "deep reasearch" and "understand permissions", they do not have the time, and they paid good money for their device that should simply work.
And we can say they are "noobs" or "stoopid" all we want, and do not deserve nice things, but the reality is that examining permissions is right now really user-unfriendly, and actually not possible: I can easily make a program that requires map access and being able to send a data message for the fun little location game I am selling, and there is no way even the smartest permissions-examiner now knows I have made a remotely-activated stalking device.
Users will vote with their wallets to get phones where they can simply get their stuff done and get some fun out of them without having the feeling every step could be quicksand. So as phone ecosystem manufacturer you have the choice of don't let crap happen on the phone, or watch your consumer pay your competitor for a phone where crap can't happen. And to make crap not happen, you will have to only allow safe programs on the phone. And as parent shows, this means a closed store.
Google announced today that to avoid lawsuits from apple over the app store name and to better describe the products offered, they are changing the name to the "malware market". They were immediately sued by Microsoft who claim to have copyrighted malware infected operating systems.
Some drink at the fountain of knowledge. Others just gargle.
Thousands of engineers labored for years to build the hardware and low-level software so that you can prance about writing your Ruby code or whatever the fuck you do that makes you think that you are some sort of tech genius. Those engineers put a lot of effort into making sure that you didn't have to be a semiconductor physics expert in order to use computers and that you weren't going to accidentally set the thing on fire with the wrong set of keystrokes. Compared to those engineers and relative to their turf, you are a moron.
There is value in abstraction. There are a hundred things that you rely on everyday that required some skilled profession to baby-proof and they were happy to do it, because that's what engineers do--and they don't look down their noses at those users as though they are some sort of inferior lifeform.
Not that a closed store stops crap from happening, mind you. Lessens, perhaps, but not stops.
Maybe Google could require an ESRB -style disclosure on what permissions are needed for what (I say ESRB because game developers are required to submit a listing of content that may be offensive/suggestive/etc. with their application for a rating), with real penalties for screwing around. The disclosure could go with the app in the market, putting it up front in a more obvious way that, hey, this Angry Birds level unlocker app requires the ability to make phone calls for ____ reason. Yes, the malware developer could make up reasons and, if they're in, say, China, probably get away without a lawsuit or anything, it should be a red flag to even the least-savvy user. It'd help if it had a timer that prevented you from just rubber-stamping the install buttons without looking in the way that Firefox/etc. have for extension installs.
1. There are alternatives, you can buy an Android phone.
2. If IOS devices made it easy to use another store, then non-technical users would be at more risk. They would get an email that said, "Hey try out this fun app" which would take them to the non-curated store, they would blindly click-through all warnings from the OS and voila, you've got a mobile experience every bit as toxic and unusable as the Windows PC experience--and you've just destroyed Apple's value proposition and their $100B market cap.
What it really boils down to is that most of Apple's critics (a) don't care at all about non-technical users and (b) really want Apple to fail anyway so are happy to argue for Apple to adopt flexibility that would lead to financial disaster for them. Apple fundamentally disagrees on both points so you aren't going to sway them.
But you have other options, see #1.
Apple is actively hostile against jailbreaking (bricked device, anyone?)
Apple has NEVER bricked a jailbroken device.
WIth the VERY FIRST iPhone, a few iPhones had issues with unlock hacks (which is not the same as jail breaking) interacting poorly with firmware updates, because they had re-written parts of the firmware...
What GP wants is the ability to choose, and be left alone if he does jailbreak his iOS device.
Which is what you get from jailbreaking.
brave the Wild West without interference from King Jobs
Unlike you 90% of the populace does not wish to be gunned down in the streets, which is the world you would have them live in against their will - because you are against the CHOICE by users to live in that walled area if they they find it safer and more pleasant.
bootloader lockdowns by individual manufacturers notwithstanding
Such hypocrisy... astounding.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Remember that the first updates after the first jailbreaks would brick peoples' iPhones.
That was never the case, it was carrier unlocks only AND you could reset the phone (not actually bricked).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This means that the default should be a closed store. It doesn't mean that the phone should not allow additional channels for application installation - they just shouldn't be easily discovered by casual users (e.g. it can be something like about:config in Firefox).
So I should download the Krill anti-malware suite?
Should I be watching out for Baleen?
Some of the app developers like this one recognize the mess and have started explaining the perms. Granted, they could be lying, but when compared to this supposed 'security app' not only requires every privacy-threatening permission, but, according to privacy inspector (the free version of the above app), also does things[0] like reading your phone number etc.
Android's a platform of adware, we've all known that from day 1, but somewhere along the line BonzaiBuddy-esque abuse-in-exchange-for-free crap became acceptable again.
[0] As opposed to just requesting the ability to do things: I think it reads function calls or something, I'm still waiting to hear back from xeudoxus.
Does Jailbreaking void your warranty?
No. Is it illegal? No. Does it cause bad breath? No.
You Apple haters are as thick as the Great Wall Of China - looking down it the long way.
Oh? darn.
Darn is right, your only argument shattered like a cheap shot glass on dollar whisky night.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Some of the app developers like this one recognize the mess and have started explaining the perms.
Yeah, I've noticed that, and that was my inspiration behind my suggestion of making it a mandatory policy, because I appreciate it when app devs do that. Yeah, they could be lying, but I'd prefer to at least get the explanation that "full internet access" is required for the ads rather than it just be sitting there for no apparent reason on an app that is not exactly network-centric.
Considering the fact that I'm in a fringe technical field, and not a programmer like everyone's been having fun assuming, your entire post misses the point entirely.
Your lawyer argument is stupid. No, I don't call a lawyer when I sign a car loan (btw a lawyer is involved in mortgages because those involve title transfers, and the title company has. . .Lawyers), but I do read the loan carefully. The people who are getting malware on their Androids aren't even going that far. They aren't reading anything. They're just slapping "OK" on the permissions screen without bothering to look at what permissions they are OKing.
I know it's awfully fun to join the anti-intelligence dogpile (anonymously - how very impressive) but if you're going to do it, at least make a good job of it. I'm not going to apologize for expecting members of society to exercise intelligence now and then. I get that this is not a popular view these days, but if you look around at the state the USA is in, perhaps it should be.
"I disagree with you" does not equal "flamebait."
People should buy iPhones to protect themselves from themselves. Android is available if you don't want or need that protection.
The only thing we disagree about is that I think you are a dick for calling nontechnical iPhone users morons.