Slashdot Mirror
Android Malware May Have Infected 5 Million Users
bonch writes "A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user's personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications."
I've always thought it was odd that those games that literally copied Counter-Strike were allowed on the Google Market.
I know, you're about to say "copying gameplay, while unethical, is completely legal". Problem is, they didn't copy the gameplay - they're boring rail shooters. The copied stuff is the art - the textures, models, even some of the maps. And that's blatant copyright infringement. It's obvious even from the previews, if you've played the game enough. And since, at one point, people playing cs_italy were responsible for more bandwidth usage than actual people in Italy, I'm pretty sure I'm not the first to notice it.
I figured Valve, being pretty savvy about this sort of thing, figured that suing them would give them too much publicity - Streisand Effect and all that, not worth the huge amount of publicity that anything Valve does. Now, I'm thinking that iApps7 was just ignoring the cease-and-desists, because when you're already distributing malware and committing actual, commercial copyright theft, you're probably not too afraid of lawyers.
Although I seriously doubt Symantec's 5 million number is right, the fact that malware keep showing up on the market is disturbing. Actually, we're beyond disturbing, it's getting downright annoying. Google needs to do better than removing bad applications after the fact, and while this doesn't need to be a Jobsian walled garden, at a minimum Google needs to start reviewing all applications (and updates!) before posting them to make sure they're clean.
Phones are appliances, and trying to handle malware the same way we handle it on computers (which is to say, after the fact) is not going to work.
For years, the Windows platform was mocked relentlessly as a cesspool for malware. It's interesting to see what happens when there is a lack of quality control from the platform vendor, which turned Windows into a complete mess of contradictory interfaces (even within Microsoft's own software), convoluted configuration settings, and a third-party market devoted to cleaning up viruses and spyware. Android seriously risks going down that path, if it's not there already. There has to be more control on the part of Google.
Pushing back on that is a small contingent of techies who want to turn the smartphone into a PC. They like to cite the freedom to install anything they want, but the truth is that mainstream users wouldn't do so even if they knew how. Google needs to cater to the needs of the majority and not latch onto populist concepts sound good to tech crowds (e.g., "openness") but mean nothing to everyone else who just uses these things as tools rather than hobbies--especially when Google seems to have trouble following fundamental tenets of open source like source code access.
Those 37 million iPhone sales over December reversed the 2011 Android surge. The in-fighting among Android vendors risks more forks like Kindle Fire, customized interfaces, and abandoned phones that no longer receive updates mere months after their release. Google, turn the ship around before it's too late! The carriers won't help you.
"Sufferin' succotash."
From TFA:
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. "Yes, this is the largest malware [outbreak] on the Android Market," said Haley.'
Even the most optimistic estimate is very bad.
"Sufferin' succotash."
Apart from being somewhat annoyed about the greater difficulty of managing my smartphone when compared to my Linux boxes, I've been having a hard time selecting apps for it.
Android market is not exactly friendly (is there a way to get larger fonts?) and I'd like to have a search by permissions. Recently, I wanted a mere notepad app -- no frills, no cloud, no nothing, just the note, but there's an "excellent" notepad app which requires you to join an online service. WTF!!!
After finding 2 suitable apps, I would still need a bigger keys soft keyboard... again looking at permissions to avoid leaking unnecessary things.
No wonder guys end up getting viruses... we need better ways to control our exposure. Then again Google's business depends on offering us what we want and thus they need to know that. But am I giving my data only to Google? I wonder where my accounts and their details end up going...
This is what I came here to say. If you think that those apps are legitimate or at least only a positive, you are either very desperate, underage, or a moron of the highest order. In the case of the first, I'm sorry you don't have the brains to find actual free porn/cheesecake pics, in the case of the second you're not clever enough to ascend to the next level of porn, and in the case of the third your phone is too smart for you, please take it back.
On a slightly different topic, since I might as well go all out in insulting average non-computer-savvy people for the crime of not spending their life like pasty-faced Anonymous Cowards in front of the cool glow of a monitor in their basement, I remember an early app in the Android market that was literally a tithe calculator. I'm GUESSING this was someone's first app or otherwise a test app by someone learning to program, because I actually downloaded it a second time after an update and the interface became slightly more refined (with a background picture instead of a flat colour and so on), and I'm not particularly here to mock the author of the app so much as any target audience members that might exist.
The app had a prompt for you to enter how much your annual income was, and then a 'go' button that returned (income/10) as the amount you needed to tithe. In the event that you belong to a church that receives tithes to support it, I'm very afraid if you need a smartphone and a custom app in order to divide a number by ten. The app did exactly what it said on the can, but by FSM I hope nobody was browsing through the Android Market and went "Oh! That's exactly what I need!"
Well, combine this with Googles recent news of privacy policy changes and Android's shine really is fading fast. I hate Apple, not for the products, I love Macs. It's the overused domination attitude I just can't deal with. So, that said, what's left? Win phone? Omg no. Maybe RIM and Nokia still have a niche after all... Just something to consider.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
Of course, everyone has known for the past decade at least that we're at the point where the primary attack vector for malware is social engineering. It's only really on Slashdot and other Linux-cebtric sites where you still see only a half admission of that fact. It's social engineering when it affects Linux, whereas it's shitty inherently shitty security when it affects Windows,
At least we can finally stop pretending that Linux is powered by MagicalPixieDust(TM) and is immune to infection.
foxconn factory workers very satisfied: 100%, with no dissent! amazing.
Who makes your Android phone?
Some company that cares even LESS for their workers. At least Apple is trying to help and improve things, but China has a very servile culture embedded that has been pushed on them for many generations. They have a factory culture that has been as it is for a long time now and change is not instant.
So every dig you take at Apple and Foxconn labels you a dirty hypocrite if you use any electronics whatsoever, because even more people suffered for your device to be made...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Foxconn is the world's largest maker of electronics components and makes products for every major computer company including Dell, HP, Microsoft, Nintendo, Samsung, and Sony. Why they're always intimately associated with Apple on tech forums is beyond me other than as anti-Apple flamebait.
"Sufferin' succotash."
"In other news, security research firm says they've found alarming evidence of their own relevance.
Details at 11"
That's 5:00 you non-binary-reading troglodytes. I suspect next I'll hear a story about how useful rats are at guarding cheese.
HTC makes all of their premium Android phones in Taiwan. The workplace standards are of course much higher there compared to Mainland China. Samsung, on the other hand uses a number of factories, including ones in South Korea and China to make their flagship Galaxy SII phones.
:. Ultimate Control Dedicated/VM Servers
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high.
Of course Symantec totally ignored that the download totals do not translate into the number of infected users. How many devices have multiple apps? That estimate could easily be 10x too high.
Did the author run scripts to pump up the numbers to gain visibility? Many app authors do this
When drivel like this gets modded up, I know why Taco left. Joke-dot? Slash-gadget? Take your pick.
The soylentnews experiment has been a dismal failure.
And of course NONE of the anti-virus or malware scanners caught even One instance of this in the wild.
SYMANTIC advertising their own uselessness.
Sig Battery depleted. Reverting to safe mode.
I just checked my Galaxy Nexus. It says "Made in China", so I'm guessing it's probably a safe assumption it's made at Foxconn.
And while HTC's premium flagship phones are made in Taiwan, I'd guess most of the rest of them are made in Foxconn (for every flagship, there's probably dozens more of the lowend phones sold).
In particular in Taoyuan. HTC makes their products in Taiwan, which is not a large surprise since they are also headquartered there.
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
Help stamp out iliturcy.
BTW: Symantec is just now disclosing that their servers were hacked in 2006 (as far as they know - maybe earlier). They don't know how long the hackers have PWNed their network, how much control they had, or for how long - but they're quite sure the hackers have stolen some of their source code. They recommend that you not use / disable / uninstall some (most) of their software. Most especially including PC Anywhere, since apparently it has a vulnerability or "back door" that allows the hackers to remotely administer your PC from Anywhere - and has for the last SIX YEARS.
I think I'm going to take Symantec's edicts with a grain of salt from now on, even if this is from a different group.
Help stamp out iliturcy.
Look at this list of infected apps.
iApps7 Inc Counter Elite Force Arcade & Action
iApps7 Inc Counter Strike Ground Force Arcade & Action
iApps7 Inc CounterStrike Hit Enemy Arcade & Action
iApps7 Inc Heart Live Wallpaper Entertainment
iApps7 Inc Hit Counter Terrorist Arcade & Action
iApps7 Inc Stripper Touch girl Entertainment
Ogre Games Balloon Game Sports Games
Ogre Games Deal & Be Millionaire Sports Games
Ogre Games Wild Man Arcade & Action
redmicapps Pretty women lingerie puzzle Photography
redmicapps Sexy Girls Photo Game Lifestyle
redmicapps Sexy Girls Puzzle Brain & Puzzle
redmicapps Sexy Women Puzzle Brain & Puzzle
These are all Facebook type games that idiots play.
I just really wish for a more fine-grained permissions system.
I mean:
full Internet access
Allows an application to create network sockets.
Wouldn't it be fucking nice if it only could have unchecked internet access to an explicit list of URLs and "full internet access" meant "initiated by user action"?
Same for file system and for "Read phone state and identity" - 95% of apps in the market want the same permission.
It just gets devalued, like UAC's very helpful and informative "Allow this program to make changes to your computer?" prompt (More details? Sure: "Origin: Hard drive on this computer"). With all kinds of "changes" and their frequency it's not hard to see why UAC is often turned off. WIth all kinds of "full internet access" it's not hard to see why permission page is just to click "Accept".
I somehow can't imagine malware authors would sign their apps with a valid CA-issued certificate that would prove their identity in court.
I've had this argument on /. a thousand times. There's a reason why NetBSD isn't popular. They have a certain philosophy that security isn't something you compromise on to deliver usability or popularity. They don't implement a feature - any feature - unless it can be secured. They don't listen on ports by default. They don't auto-execute anything on mounting, and so on - because these features, while popular, compromise security. It's a religion with them. They've had some lapses but AFAIK no current NetBSD distribution has ever been proven to have a remote exploit.
And that's why NetBSD is the go-to starting point for folks who don't want to share their files with the wide Internet.
Help stamp out iliturcy.
Seriously, this is an opportunity for a company to come up with a new market to compete against Google. Basically, set it up similar to Apples: submit the app, have it tested, etc. and charge a small amount of money. For me, I will stay with google. BUT, for my parents and in-laws, they would go with the secured market.
I prefer the "u" in honour as it seems to be missing these days.
There are apps (that if you trust them) for root users (e.g. LBE Privacy Guard) or custom roms (e.g. CM7) that enable the user to "veto" certain permissions.
Really? You've never seen an ad and thought, "Man, I was JUST thinking I'd like a product that does something like that!"
And then you've got the Superbowl, so you can't say that you've never wanted to see advertising. You just want to see GOOD advertising. I think that's a reasonable desire.
The problem with advertising is that generally, it sucks. Especially on the internet. But remember the 'i love bees' halo campaign? That was advertising, and that was awesome.
If you don't like certain ads, do two (or potentially three) things:
1) Don't buy the product. Obviously.
2) Let the company know that you hated their ad and won't buy their stuff. They actually pay attention to that sort of thing, apparently.
3) Contact whoever is running the ad and tell them that it was particularly bad, and you're not happy with having to see it. (This works especially well with people that run ads from ad networks on their websites. I know several folks that really want to hear what sort of ads you don't want to see on their sites, and they'll contact their ad networks and get those ads removed.)
I know 2 & 3 take some effort, but you can make a difference if you want to.
No. We should stop pretending that OS and application design choices don't matter. They can't stop everything but they can avoid the sort of nonsense that happens in Windows. When it comes to "social engineering" in Windows, the bar is simply much lower. No degree of self-delusion on yoru part will change that.
You can be smug when Android or iPhone or Linux or MacOS has the same sort of "browse this webpage get infected" problem that Windows has.
A Pirate and a Puritan look the same on a balance sheet.
Can your mom differentiate between a good URL and a bad URL?
She can. Why shouldn't she? It's not like there are no bad URLs outside apps. It should be as much common sense as knowledge of mail frauds and con tricks.
Delegating vetting of apps behaviour to end users is a fundamentally bad idea. It's a task that requires skills and experience, and you can't assume them in a consumer product. This is stuff that should be done by professionals in the supply chain.
May be, though I, like many others, prefer choice. But why does that invalidate a need for better permission system? AFAIK, iOS basically permits applications to do whatever they want with internet, relying on vetting to weed out abuse - and it's not guaranteed to work. There already was a handful of examples, like Dolphin browser quietly sending every URL you visit to their server "to check compatibility with Webzine"
You seem to be opposed to it only on "iOS approach good, Android approach bad" basis. I don't see anything wrong with requiring basic knowledge from smartphone users. Is "Don't install games that want to send paid messages on your phone" so much harder than "Don't put metallic tableware in the microwave"?