Android Malware May Have Infected 5 Million Users

bonch writes "A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user's personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications."

Those Counter-Strike "Clones"

[gman003]

I've always thought it was odd that those games that literally copied Counter-Strike were allowed on the Google Market.

I know, you're about to say "copying gameplay, while unethical, is completely legal". Problem is, they didn't copy the gameplay - they're boring rail shooters. The copied stuff is the art - the textures, models, even some of the maps. And that's blatant copyright infringement. It's obvious even from the previews, if you've played the game enough. And since, at one point, people playing cs_italy were responsible for more bandwidth usage than actual people in Italy, I'm pretty sure I'm not the first to notice it.

I figured Valve, being pretty savvy about this sort of thing, figured that suing them would give them too much publicity - Streisand Effect and all that, not worth the huge amount of publicity that anything Valve does. Now, I'm thinking that iApps7 was just ignoring the cease-and-desists, because when you're already distributing malware and committing actual, commercial copyright theft, you're probably not too afraid of lawyers.

Re:Those Counter-Strike "Clones"

I've always thought it was odd that those games that literally copied Counter-Strike were allowed on the Google Market.

I know, you're about to say "copying gameplay, while unethical, is completely legal".

Apparently, it's only red double decker buses on a black and white picture that can be not made similar.

Google Needs To Get Their Ass In Gear

[rsmith-mac]

Although I seriously doubt Symantec's 5 million number is right, the fact that malware keep showing up on the market is disturbing. Actually, we're beyond disturbing, it's getting downright annoying. Google needs to do better than removing bad applications after the fact, and while this doesn't need to be a Jobsian walled garden, at a minimum Google needs to start reviewing all applications (and updates!) before posting them to make sure they're clean.

Phones are appliances, and trying to handle malware the same way we handle it on computers (which is to say, after the fact) is not going to work.

Re:Google Needs To Get Their Ass In Gear

[Nerdfest]

What they could do is provide the same sort of "reviewed application" market that Apple does, but as an option (as I believe Apple should). I see that as the best of both worlds. If you want to lower the odds of malware, use that market. If you don't mind a little risk use something else, like the current Android market.

Re:Google Needs To Get Their Ass In Gear

[hey!]

Consider the difference between the following questions:

(1) Who can *you* trust?
(2) Who can *everyone* trust?

The problem with the Apple market, and with your idea too, is that it is predicated on having an answer to the second question other than "nobody".

It seems clear to me that a better solution could be built around the first question. That entails letting the consumer decide who he trusts to review and approve apps, then giving him the tools to implement that trust. That'd involve some kind of network to distribute digitally signed approvals. You wouldn't have to have different app stores. You could use any store or combination of stores you wanted. What matters is whether you can find a certification for an app from an authority you trust.

Consumers would subscribe to different authorities based on their concerns. Businesses might choose different kinds of reviewers to trust than gamers. Different functions in a business might choose different reviewers based on the kind of information they handle (e.g. whether the device running the app has sensitive or privacy related data). Evangelical Christians might choose review authorities that reject apps that promote pornography, and porn-hounds would choose authorities that reject apps promoting Christianity.

Re:Google Needs To Get Their Ass In Gear

[Telvin_3d]

That assumes that the average consumer can or should be able to make intelligent decisions about "who he trusts to review and approve apps". In reality it would be the malware company with the biggest marketing budget. The idea that a consumer should first spend weeks getting up to speed in the mapping or racing simulator communities before they can safely try out a couple apps is ridiculous. What you would get instead is friends recommending friends, and all that means is that every person who gets tricked they immediately recommend a few friends to download the same BS.

Because the question in question is not "who can *everyone* trust?", the question is "who can everyone trust not to serve up malware". That is a much easier question to answer. And I think "big company with a lot of resources and a large vested interest in not serving me malware" is a pretty good answer to that question.

Re:Google Needs To Get Their Ass In Gear

[fluffy99]

To be fair, this does not look like Malware at all.

Hijacking your browser homepage, adding shortcuts to the desktop,stealing the imei and imsi (sufficient info to clone your sim card) ,copying your contacts,etc certainly counts as a trojan. Did you bother to read the symantec description?

Sure a smart user might notice the excessive permissions but the average user just hits okay and doesnt even read the list.

Re:Google Needs To Get Their Ass In Gear

[symbolset]

When netbooks came out they delivered remarkable utility with long battery life in a tiny package for low cost - using Linux and small SSD media. The netbook met a need for low-cost compromised UI with good performance. Then Microsoft convinced all the Linux netbook vendors to convert back to XP, consuming more storage (and driving the cost up) and delivering less-adequate performance. They sold more units, and lost money on every one. And then there was the crippled versions of W7 thing with even higher costs as the cost of full laptops dived below the price of netbooks. And the netbook market crashed because nobody was going to go back to the cheaper, quite awesome Linux variant when they could sell $300 laptops instead. But a funny thing happened. The price of a laptop also fell in response to this netbook threat - from $900 to under $300. Microsoft successfully killed the netbook by cutting the throats of their PC OEMs with budget laptops.

People forget that between the netbook and the tablet was a Smartbook - invented by Asus and showed briefly in 2009 at a summer trade show - and then suddenly yanked in mid show. It was a ARM/Linux platform. The very next week a very nervous looking Jerry Shen flanked by Steve Ballmer and a member of Microsoft Legal was talking up Asus W7 platforms on a stage in Taiwan. He seemed to be sending out very stressed body language - something like "help me".

So now we have ARM tablets, mostly thanks to Apple's huge margins and lack of commitment to the Windows ecosystem enabling them to innovate. But the netbook story isn't going to play out here again. The CE vendors are in this game now and Microsoft doesn't have the leverage over Samsung and HTC that they had over the PC vendors. The CE vendors can't make Apple tablets: only Apple can do that. So they're going to do the thing they CAN do, and make Android tablets as best they can. And they do. And they rock. And Google does the ecosystem thing for them, with 250M units in the field the developer need not worry about there being a market for his app if it's any good. With hundreds of thousands of apps customers need not fear the thing won't do what they want - in fact, if you've bought it for your phone you don't have to buy it again for your tablet. And some of the apps - particularly games - are quite incredible on a device with all-day battery life. And things like Kindle app of course still give you access to all the things you've bought through there too.

The new crew, the CE giants, the Samsungs and HTCs are also the ones burned on Windows Phone and buying back their stock thanks to Nokia's preferred standing - so they're not going to push for WoA. Neither are the PC OEMs, once they find out Nokia got early access and help, and they're required to include software with Nokia branding on it in their PCs.

WoA is going to try to step into this with no apps, a rejected WP7 UI and a general distrust of Microsoft, and try to make a go of it. Maybe even without multicore. They're going to have to acquire HTC to make that happen, because without something on that scale they got nuthin.

This is starting to look like the end of the beginning.

Reaction

[Overly+Critical+Guy]

For years, the Windows platform was mocked relentlessly as a cesspool for malware. It's interesting to see what happens when there is a lack of quality control from the platform vendor, which turned Windows into a complete mess of contradictory interfaces (even within Microsoft's own software), convoluted configuration settings, and a third-party market devoted to cleaning up viruses and spyware. Android seriously risks going down that path, if it's not there already. There has to be more control on the part of Google.

Pushing back on that is a small contingent of techies who want to turn the smartphone into a PC. They like to cite the freedom to install anything they want, but the truth is that mainstream users wouldn't do so even if they knew how. Google needs to cater to the needs of the majority and not latch onto populist concepts sound good to tech crowds (e.g., "openness") but mean nothing to everyone else who just uses these things as tools rather than hobbies--especially when Google seems to have trouble following fundamental tenets of open source like source code access.

Those 37 million iPhone sales over December reversed the 2011 Android surge. The in-fighting among Android vendors risks more forks like Kindle Fire, customized interfaces, and abandoned phones that no longer receive updates mere months after their release. Google, turn the ship around before it's too late! The carriers won't help you.

Re:No risk for me

[WhitetailKitten]

This is what I came here to say. If you think that those apps are legitimate or at least only a positive, you are either very desperate, underage, or a moron of the highest order. In the case of the first, I'm sorry you don't have the brains to find actual free porn/cheesecake pics, in the case of the second you're not clever enough to ascend to the next level of porn, and in the case of the third your phone is too smart for you, please take it back.

On a slightly different topic, since I might as well go all out in insulting average non-computer-savvy people for the crime of not spending their life like pasty-faced Anonymous Cowards in front of the cool glow of a monitor in their basement, I remember an early app in the Android market that was literally a tithe calculator. I'm GUESSING this was someone's first app or otherwise a test app by someone learning to program, because I actually downloaded it a second time after an update and the interface became slightly more refined (with a background picture instead of a flat colour and so on), and I'm not particularly here to mock the author of the app so much as any target audience members that might exist.

The app had a prompt for you to enter how much your annual income was, and then a 'go' button that returned (income/10) as the amount you needed to tithe. In the event that you belong to a church that receives tithes to support it, I'm very afraid if you need a smartphone and a custom app in order to divide a number by ten. The app did exactly what it said on the can, but by FSM I hope nobody was browsing through the Android Market and went "Oh! That's exactly what I need!"

Apple Haters ignore the fact they are more guilty

[SuperKendall]

foxconn factory workers very satisfied: 100%, with no dissent! amazing.

Who makes your Android phone?

Some company that cares even LESS for their workers. At least Apple is trying to help and improve things, but China has a very servile culture embedded that has been pushed on them for many generations. They have a factory culture that has been as it is for a long time now and change is not instant.

So every dig you take at Apple and Foxconn labels you a dirty hypocrite if you use any electronics whatsoever, because even more people suffered for your device to be made...

Re:May have?

[icebike]

And of course NONE of the anti-virus or malware scanners caught even One instance of this in the wild.

SYMANTIC advertising their own uselessness.

Re:May have?

[symbolset]

BTW: Symantec is just now disclosing that their servers were hacked in 2006 (as far as they know - maybe earlier). They don't know how long the hackers have PWNed their network, how much control they had, or for how long - but they're quite sure the hackers have stolen some of their source code. They recommend that you not use / disable / uninstall some (most) of their software. Most especially including PC Anywhere, since apparently it has a vulnerability or "back door" that allows the hackers to remotely administer your PC from Anywhere - and has for the last SIX YEARS.

I think I'm going to take Symantec's edicts with a grain of salt from now on, even if this is from a different group.

Why Am I Not Surprised

[rhook]

Look at this list of infected apps.

iApps7 Inc Counter Elite Force Arcade & Action
iApps7 Inc Counter Strike Ground Force Arcade & Action
iApps7 Inc CounterStrike Hit Enemy Arcade & Action
iApps7 Inc Heart Live Wallpaper Entertainment
iApps7 Inc Hit Counter Terrorist Arcade & Action
iApps7 Inc Stripper Touch girl Entertainment
Ogre Games Balloon Game Sports Games
Ogre Games Deal & Be Millionaire Sports Games
Ogre Games Wild Man Arcade & Action
redmicapps Pretty women lingerie puzzle Photography
redmicapps Sexy Girls Photo Game Lifestyle
redmicapps Sexy Girls Puzzle Brain & Puzzle
redmicapps Sexy Women Puzzle Brain & Puzzle

These are all Facebook type games that idiots play.

Re:No risk for me

[anonymov]

I just really wish for a more fine-grained permissions system.

I mean:

full Internet access
Allows an application to create network sockets.

Wouldn't it be fucking nice if it only could have unchecked internet access to an explicit list of URLs and "full internet access" meant "initiated by user action"?

Same for file system and for "Read phone state and identity" - 95% of apps in the market want the same permission.

It just gets devalued, like UAC's very helpful and informative "Allow this program to make changes to your computer?" prompt (More details? Sure: "Origin: Hard drive on this computer"). With all kinds of "changes" and their frequency it's not hard to see why UAC is often turned off. WIth all kinds of "full internet access" it's not hard to see why permission page is just to click "Accept".

Re:Indirectly related, but...

[purpledinoz]

Root your phone and use Droid Firewall. All apps by default have no network permissions. Once it's setup, it works really well.