Slashdot Mirror

← Back to Stories (view on slashdot.org)

Separating Fact From Hype On Mobile Malware

Posted by Soulskill on from the viruses-in-your-pocket dept.

wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified: "As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."

11 of 46 comments (clear)

  1. Allow users to set permissions? by Anonymous Coward · · Score: 5, Interesting

    Other than CM, where one can set permissions of apps, the only real way to limit app permissions is with use of DroidWall.

    This way, if a game wants the whole world for perms, it might get the ability to call home for high scores, but that is it.

    1. Re:Allow users to set permissions? by alostpacket · · Score: 4, Informative

      There are a couple apps out there that do this (most needing root). They essentially re-write the manifest to not ask for the permission -- sometimes by decompiling/recompiling. This crashes a lot of apps as devs dont expect to need to check for a SecurityException. The other problem with this level of granularity comes user confusion. The more granularity, the more confused a user can get. It also breaks the "agreement" between the dev/publisher and the user, much like ad-blocking in web browsers does. This is unfortunate because it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control. Honestly, I'm not sure there is an easy answer/fix to this. Open markets mean a bit of chaos is likely to emerge -- that's a good thing. But the only way to combat the unscrupulous is through educating users and having the community diligent in it's policing and reporting.

      The worst offenders though are the carrier bloatware apps (IMHO).

      Full disclosure: I have myself written a security guide for Android (CC license), and have an app for sale that provides information for novice users as well as permission search (to see what apps are using what permissions). I say this because obviously my work will bias my thoughts on the matter.

      The link in case anyone is interested: http://alostpacket.com/2010/02/20/how-to-be-safe-find-trusted-apps-avoid-viruses/
      Please note the guide is intened for novice users, which is unlikely to apply to most of the Slashdot crowd :)

      --
      PocketPermissions Android Permission Guide
    2. Re:Allow users to set permissions? by DJRumpy · · Score: 3, Interesting

      What I find ironic is that the blogger under the "separate fact from hype" talks only about viruses, which as far as I know are pretty much non-existent in the mobile market, he ignores the fact that most of these stories are about malware ranging from various 'texting' apps that run up bills, those that dial 900 numbers, those that steal info ranging from contacts to key loggers, etc. None of these are viruses, but dangerous regardless.

      Also while I don't doubt the explosion of 'malware', I also take it with a grain of salt that the numbers might be so small now that any increases will make a trend look huge, at least initially. That doesn't mean that the Android market doesn't have a problem. I think people tend to be more lax on smartphones than they are on computers since they are relatively new. A little caution and more proactive action from Google would be a smart move.

      Just sayin'...

    3. Re:Allow users to set permissions? by mjwx · · Score: 3, Insightful

      it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control.

      This.

      Permission creep is the real problem, not malware. Actual malware (viruses, worms, spambots et al) are not prolific enough to cause real concern and I dont see them becoming big enough. It's the subtle data miners, a wallpaper or "free" game that requests "read/write contacts" and "full access to the internet" that are the real issue for end users. This is also not Android specific, IOS is just as vulnerable, even more so as Apple has pretty much given them permission to do so and do not check to see if programs do this. It's pretty much reached the point where personal data is worth more then most botnets.

      As alostpacket said, we cant really fault the users for this, controls need to be more fine grained and personal data needs to be better firewalled.

      Nice guide BTW.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  2. FUD? by AHTuttle · · Score: 5, Insightful

    While I have no doubt Android is a increasing target, why do I get the sense this is hype from Android competitors and anti-virus software makers? Just don't install any strange apps without research and think about where your browsing and I don't anticipate problems. At least I've had none in the year or so I've been on Android phones.

    1. Re:FUD? by cheeks5965 · · Score: 5, Insightful

      Mom: "honey, how should I avoid viruses on my new phone?" Me: "first, be sure to research your apps before you download them." Mom: "what? where do I do that? didnt Sprint already do that?" Me: "then, don't browse to web pages that might contain malware" Mom: "how should I know what sites are ok and what are not?" Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."

      --
      -- Flame me and I will happily flame you back. Bring it!
    2. Re:FUD? by tlhIngan · · Score: 3, Interesting

      You could say the same thing for the Internet: don't download random stuff, research it and ensure it is safe. Hell that could apply to almost any activity like going to a restaurant: make sure that the kitchen is clean and that they buy safe ingredients.

      The problem is that no one actually does either of those checks.

      Well, it's called Dancing Pigs. A user is confronted with a scary looking permissions list with "install" and "cancel". User wants to play this kewl game they were shown. User taps Install. It'll happen often enough to matter.

      And it also applies if said app costs money and they can get it for free - people will pirate apps. And just like on the desktop world - pirated apps can contain all sorts of wrappers that install malware.

      I suppose the only interesting thing about Android is why malware uathors haven't bothered taking paid apps, adding their own crap to it, and then releasing it "for free" to show up on searches as a full version of app for free. (I've seen ebooks that did this - they take some Harry Potter epub and package it with a reader (pirated?) and release it as one app.

      Then again - should the user be expected to do these checks? Does your mechanic/plumber/doctor/nurse/etc. go and say "I cannot fix your $FOO for you today - I need to research to make sure the new software we're transitioning to is safe"? No, they just install it. Heck, they normally have "IT" take care of that stuff for them. Or their neighbour's kid.

      I suppose it's why people are going for "app stores" and "appliances" rather than full-fledged PCs. Computers literally have gotten to the point where it really is a scary place out there and anyone who doesn't do it as a full time occupation is easily overwhelmed into thinking that next click would steal all their banking information and the identities. (Or worse yet, ignorance and clicking somewhere that really does do it).

      Anyone's who's had to clean out their relative's PC over the holidays (hey US Thanksgiving...) can attest to that...

    3. Re:FUD? by ozmanjusri · · Score: 3, Informative

      Me: "rely on your past experience battling viruses on Windows." Mom: "You're my least favorite son. I hate you."

      I'm afraid you'll have to find other excuses for your Oedipal crises. The news stories are mostly FUD.

      Modern smartphones are much more secure than old ones, and much more resistant than Windows, though you wouldn't know it given the hype in the news. Did anyone notice how there were no hard numbers of malware sources or infections, just the alarming percentage increase? Even the white paper it's based on has no details. The closest it gets to the truth is here:

      Symbian and Microsoft Windows Mobile platforms are the oldest and most researched mobile platforms, and devices running those mobile operating systems have been the targets of the most prolific and effective malware known to affect mobile devices. These platforms have been targeted by a range of malicious applications that run the full spectrum of known malware categories, including SMS trojans that send SMS messages to premium rate numbers unbeknownst to users, background calling applications that charge the victim for exorbitant long distance calls, keylogging applications, and self-propagating code that infects devices and spreads to additional devices listed in the address book. The Juniper Networks Global Threat Center also sees polymorphic malware, which changes its characteristics during propagation to avoid detection, on the Symbian and Microsoft Windows Mobile platforms.

      http://www.juniper.net/us/en/local/pdf/whitepapers/2000415-en.pdf

      --
      "I've got more toys than Teruhisa Kitahara."
  3. Why the emphasis on percentages? by DeadCatX2 · · Score: 4, Interesting

    500% this, 37% that...

    One of the first tricks they teach you in "how to lie with numbers" is to use percentages to inflate otherwise small numbers.

    If they want to pimp a percentage, I would love to ask them...what percentage of the Android market share is infected? Somehow I think they wouldn't want to share that number, because all the 0's to the right of the decimal point may call into question exactly how much that very same company's products and services are needed.

    --
    :(){ :|:& };:
  4. 500%? Man, that's nothing... by QuasiSteve · · Score: 5, Funny

    500%? Man, that's nothing... why, at the beginning of the year Apple still claimed zero malware in the App Store, then this happened:
    http://apple.slashdot.org/story/11/11/07/2029219/charlie-miller-circumvents-code-signing-for-ios-apps

    Briefly, malware in the Apple App Store increased by one divided by zer-OH SHI

  5. Most security *is* theater by Anonymous Coward · · Score: 5, Insightful

    I say this as an Infosec professional. If you remove all the hype/FUD and look at actual exploit/breach rates, the entire industry would change and shrink drastically. But they don't. So we have what we have - lots of snake oil and irrelevant/useless tools pushed to solve imaginary problems. Honestly, I am ashamed of myself but the money's too good :-)