Android Malware May Have Infected 5 Million Users

bonch writes "A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user's personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications."

Google Needs To Get Their Ass In Gear

[rsmith-mac]

Although I seriously doubt Symantec's 5 million number is right, the fact that malware keep showing up on the market is disturbing. Actually, we're beyond disturbing, it's getting downright annoying. Google needs to do better than removing bad applications after the fact, and while this doesn't need to be a Jobsian walled garden, at a minimum Google needs to start reviewing all applications (and updates!) before posting them to make sure they're clean.

Phones are appliances, and trying to handle malware the same way we handle it on computers (which is to say, after the fact) is not going to work.

Re:Google Needs To Get Their Ass In Gear

[Nerdfest]

What they could do is provide the same sort of "reviewed application" market that Apple does, but as an option (as I believe Apple should). I see that as the best of both worlds. If you want to lower the odds of malware, use that market. If you don't mind a little risk use something else, like the current Android market.

Re:Google Needs To Get Their Ass In Gear

[BasilBrush]

Walled garden is the way to go.
Android users very satisfied: 47%
iPhone users very satisfied: 75%

http://www.loopinsight.com/2012/01/09/iphone-satisfaction-at-75-closest-competitor-at-47/

Re:Google Needs To Get Their Ass In Gear

Nerds seeking a feeling of control in their lives turn to computers. They hate the idea of appliances, because the feeling of mastery over something gives them a sense of control that they lack in their daily lives. And seeing mainstream users walking around with appliances, many of the same people who alienated them in the first place, breeds resentment. That's why this "freedom" argument always comes up, because the feeling of having it taken away is like a personal attack.

But I'm afraid appliances have always been the inevitable future, just like you don't hand-crank an automobile to start it (and most people don't even manually shift gears anymore even though direct control is more fuel-efficient). And I have to say, lying in bed with a computer that does all the things I and most people in the world use them for--browsing the web, casual games, watching movies, posting on social networks, listening to music--without all the maintenance and time investment of a PC is really, really nice. It's obviously the future.

Based on sales from October through December, the tablet market already outsells the whole desktop PC market. The writing is on the wall.

Re:Google Needs To Get Their Ass In Gear

[Overly+Critical+Guy]

I have encountered all of a handful of users with tablets and each has said basically the same thing.

With a sample size like that, how could you be wrong?

For crying out loud, we're onto year three of the iPad, and it sold over 15 million last month. This is as much a "fad" as the mouse and GUI. If you don't see the inevitability of this, then frankly you are out of touch. Nobody wants to install and maintain a PC just to browse the web anymore. The same kind of streamlining already happened to gaming in the 2000s via consoles.

Re:Google Needs To Get Their Ass In Gear

[Telvin_3d]

That assumes that the average consumer can or should be able to make intelligent decisions about "who he trusts to review and approve apps". In reality it would be the malware company with the biggest marketing budget. The idea that a consumer should first spend weeks getting up to speed in the mapping or racing simulator communities before they can safely try out a couple apps is ridiculous. What you would get instead is friends recommending friends, and all that means is that every person who gets tricked they immediately recommend a few friends to download the same BS.

Because the question in question is not "who can *everyone* trust?", the question is "who can everyone trust not to serve up malware". That is a much easier question to answer. And I think "big company with a lot of resources and a large vested interest in not serving me malware" is a pretty good answer to that question.

Re:Google Needs To Get Their Ass In Gear

[fluffy99]

To be fair, this does not look like Malware at all.

Hijacking your browser homepage, adding shortcuts to the desktop,stealing the imei and imsi (sufficient info to clone your sim card) ,copying your contacts,etc certainly counts as a trojan. Did you bother to read the symantec description?

Sure a smart user might notice the excessive permissions but the average user just hits okay and doesnt even read the list.

Re:Google Needs To Get Their Ass In Gear

[inglorion_on_the_net]

I've always thought that apt (apt-get, aptitude, Debian) has the right solution to this.

You get your software from a repository, and only software that is approved by the maintainers of the repository gets in.

Then, _you_ get to choose which repositories you trust.

That way, you don't have to judge the quality of all software yourself. You can leave that to the people who maintain the repositories. They will build up reputation over time, and you can go with the ones that have a good enough reputation by your standards.

A walled-garden app store like Apple's basically implements the first part of this. This is fine for a lot of people.

To also cater to those who want more freedom, without opening the flood gates, all you have to do is allow them to shop at other app stores, as well.

Re:Google Needs To Get Their Ass In Gear

[hey!]

That assumes that the average consumer can or should be able to make intelligent decisions about "who he trusts to review and approve apps".

Not really. It assumes *some* consumers are able to make intelligent decisions and that there is benefit to addressing their needs and costs to sweeping them in with consumers who are less savvy. By that reasoning, there should be no *Consumer Reports* and we should rely upon the Consumer Products Safety Commission to make decisions for you.

In reality it would be the malware company with the biggest marketing budget.

This is probably depends on the *kind* of malware. Take privacy intrusion. Privacy intrusion for collecting marketing data would surely be a problem, because it's legal. But it goes on anyhow, you just don't see it and it's not running on your equipment. The point of entry to the surveillance network is the retailer. Privacy intrusion for purposes of identity theft would not be a problem *for the certification system* because the "big marketing budget" provides a trail back to the perpetrators.

The idea that a consumer should first spend weeks getting up to speed in the mapping or racing simulator communities before they can safely try out a couple apps is ridiculous.

I'll ignore the various shortcomings of the scenario you propose and cut to the chase: The real issue with the system I proposed is that it cannot overcome impatience, and it conflicts with the needs of marketing, which exploits impatience. There's an app that's gone viral, but it hasn't been certified yet by anyone you've heard of. It might take weeks for the stodgy certifiers everyone uses to get around to examining the thing, during which you'll have to live without this app you feel you can't live without. So you choose to grant an exception, or worse -- to trust a dodgy certifier. In fact, the system I proposes creates a new avenue for social engineering attack in which malware authors entice consumers to trust a malicious certifier because they want their free game *right now*.

So why do I think it's a good idea? Because my standard of success is different than yours. You want a system that will protect foolish people from their choices. I want a system in which it is *possible* to make and enforce good decisions. While I think it is unfortunate that fools are exploited, I see no way of protecting them absolutely without posing unreasonable restrictions of freedom.

Because the question in question is not "who can *everyone* trust?", the question is "who can everyone trust not to serve up malware".

Well, if you can answer that, you make those agents the *default* trusted authorities. The problem I have with platform-vendor-chooses-who-everyone-has-to-trust solution is that everyone is not the same. A hospital securing its mobile devices used in health care delivery is different from a teenager who is messing with his game console. People feel differently about privacy too, and their stance may vary depending on device. That teenager might choose different universes of apps for his game console and phone.

The problem with the current system is that it relies on people being able to draw inferences about developer intent from specific permissions an app requests. How insane is that? Even an expert who understands what a permission *does* can't reliably anticipate everything it can *accomplish*, much less the *intent* of the developer in asking for it.

Re:Google Needs To Get Their Ass In Gear

[Abreu]

Yeah, and 76 million Tamagotchis have been sold world-wide. That doesn't make it less of a fad.

Reaction

[Overly+Critical+Guy]

For years, the Windows platform was mocked relentlessly as a cesspool for malware. It's interesting to see what happens when there is a lack of quality control from the platform vendor, which turned Windows into a complete mess of contradictory interfaces (even within Microsoft's own software), convoluted configuration settings, and a third-party market devoted to cleaning up viruses and spyware. Android seriously risks going down that path, if it's not there already. There has to be more control on the part of Google.

Pushing back on that is a small contingent of techies who want to turn the smartphone into a PC. They like to cite the freedom to install anything they want, but the truth is that mainstream users wouldn't do so even if they knew how. Google needs to cater to the needs of the majority and not latch onto populist concepts sound good to tech crowds (e.g., "openness") but mean nothing to everyone else who just uses these things as tools rather than hobbies--especially when Google seems to have trouble following fundamental tenets of open source like source code access.

Those 37 million iPhone sales over December reversed the 2011 Android surge. The in-fighting among Android vendors risks more forks like Kindle Fire, customized interfaces, and abandoned phones that no longer receive updates mere months after their release. Google, turn the ship around before it's too late! The carriers won't help you.

Re:May have?

[Overly+Critical+Guy]

From TFA:

'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. "Yes, this is the largest malware [outbreak] on the Android Market," said Haley.'

Even the most optimistic estimate is very bad.

foxconn factory workers very satisfied:

[decora]

foxconn factory workers very satisfied: 100%, with no dissent! amazing.

when interviewed, every last worker expressed their deepest appreciation for their bosses, and how much they love working together for harmonious success of the company, which they love and admire deeply.

Re:foxconn factory workers very satisfied:

[BasilBrush]

And your mobile phone was made where, hypocrite?

Apple Haters ignore the fact they are more guilty

[SuperKendall]

foxconn factory workers very satisfied: 100%, with no dissent! amazing.

Who makes your Android phone?

Some company that cares even LESS for their workers. At least Apple is trying to help and improve things, but China has a very servile culture embedded that has been pushed on them for many generations. They have a factory culture that has been as it is for a long time now and change is not instant.

So every dig you take at Apple and Foxconn labels you a dirty hypocrite if you use any electronics whatsoever, because even more people suffered for your device to be made...

Re:No risk for me

[BasilBrush]

This is what I came here to say. If you think that those apps are legitimate or at least only a positive, you are either very desperate, underage, or a moron of the highest order. In the case of the first, I'm sorry you don't have the brains to find actual free porn/cheesecake pics, in the case of the second you're not clever enough to ascend to the next level of porn, and in the case of the third your phone is too smart for you, please take it back.

Ah right. It's the user's fault. The classic excuse for bad IT systems.

Why Am I Not Surprised

[rhook]

Look at this list of infected apps.

iApps7 Inc Counter Elite Force Arcade & Action
iApps7 Inc Counter Strike Ground Force Arcade & Action
iApps7 Inc CounterStrike Hit Enemy Arcade & Action
iApps7 Inc Heart Live Wallpaper Entertainment
iApps7 Inc Hit Counter Terrorist Arcade & Action
iApps7 Inc Stripper Touch girl Entertainment
Ogre Games Balloon Game Sports Games
Ogre Games Deal & Be Millionaire Sports Games
Ogre Games Wild Man Arcade & Action
redmicapps Pretty women lingerie puzzle Photography
redmicapps Sexy Girls Photo Game Lifestyle
redmicapps Sexy Girls Puzzle Brain & Puzzle
redmicapps Sexy Women Puzzle Brain & Puzzle

These are all Facebook type games that idiots play.

Re:No risk for me

[jedidiah]

No. We should stop pretending that OS and application design choices don't matter. They can't stop everything but they can avoid the sort of nonsense that happens in Windows. When it comes to "social engineering" in Windows, the bar is simply much lower. No degree of self-delusion on yoru part will change that.

You can be smug when Android or iPhone or Linux or MacOS has the same sort of "browse this webpage get infected" problem that Windows has.