Slashdot Mirror
More Malicious Apps Found On Google Play
suraj.sun writes "We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"
>complaints about malware aren't one of them
So the ones that raid your contacts and send the information to persons unknown are fine?
Why can't they offer a vetting process for apps? Not everything needs the "Google seal of approval", but having a google verified or trusted apps icon appear on an app might alleviate some of the problems, or at least the perception of the google market store (I can't call it google play store, it's just stupid) being a haven for malware and cheap ripoffs.
In fact, this could be a policy that a third party app store could institute. It would be interesting to see it happen, as they could potentially become more popular than Google's own store.
"some of App Store's shiniest celebrities are among those that beam away your contact list in order to make hooking up with other friends who use the app smoother. " http://m.gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it
so, I bought an android and its nice and whatever, then i go to download a random free game or app from the google whatever place..
it tells me it will know my location to play a free non multiplayer game? my other stored contacts information? wth?
I think it's worth noting that the new malicious applications found by McAfee researchers were video trailer applications that overtly requested the READ_PHONE_STATE and READ_CONTACTS permissions at install time.
While it's clear that users have limited comprehension of the permissions requested at install time (for instance see: Android Permissions: User Attention, Comprehension, and Behavior) it is rather suspicious that a trailer application require access to your contact list. From the sounds of it the malware doesn't do much other than siphon off your contact list & some identifying information (Android ID & phone number).
Should it be removed from the Android market? Yes. Is it the best example of subversive Android applications? Probably not.
Enjoy that freedom, y'all.
Not only have there been numerous problems with malware on iOS, a recent study (too lazy to search for it) randomly selected a bunch of apple-vetted apps and apps from a jailbreak-only iPhone app store, and found that a larger percentage of apple app store apps are malware than ones from the third-party unvetted store...
One argument is that this is simply a market choice, A) a free and open market that is easy to upload malware, or B) a closed market that is difficult to upload malware.
Perhaps, but I believe you can have both. If a third party was able to find this malware in the market, why can't Google? Google simply needs to make this a priority, and do a better job. Scanning and making sense of the data really is their core strength.
Apple: App Access to Contact Data Will Require Explicit User Permission
I guess you forgot that part.
And the part about how these apps weren't "malware", irrespective of whether they were doing something previously allowable without explicit user permission.
So it's not at all accurate to say that it's "happening on the App Store too".
Where is their incentive?
You are responsible for what you install, and the consequences thereof. Enough with pushing responsibility to another party. If you install something you better vet the code.
The attitude of the USA has become the prime example of a irresponsible nation, denouncing personal responsibility and pointing fingers.... No small wonder we're a failing country
I tend to agree, not at least doing automated scanning is irresponsible. At least make an attempt..
I would also hope there is some prosecuting involved when these apps are found and removed.Otherwise, they will just try again.
---- Booth was a patriot ----
I made a "proof of concept" key that lets intruders into Carlos castillos house I suggest all members of his household buy my "security services"
My favorite android scam is when they create fake reviews and when you open the app you automatically run scripts to like ans subscribe to things on facebook and other social networks, and of course they love to use your email app to send things out. It's amazing how all of it works but also a pain in the rear-end to find out which app is doing all of this. Unlike a PC, tablets or smart phones are ridiculously hard to administer any solution. Antivirus apps never seem to work for me on those things. I agree with the whole authentication thing but what would work even better is if google's lawyers would go out and charge every developer that maliciously fked up people's devices on purpose.
And yet slashdotters like to make fun of WP7 even though by most all accounts it is a very good OS. Looks like the shoes is on the other foot nowadays.
Surely people on this site will now make fun of Android like they make fun of Windows, right? I mean, they wouldn't be openly hypocritical, right?
Yes, there's a significant problem here.
The problem is that Google does NOT like free apps. Google make their money from advertizing, and on Google Play they're actively hiding whether are apps paid for by advertizing. This means that FOSS is having a hard time there. And cheap rip-offs of various kinds are having a field day. Once a thriving community of rip-off artists have been gathered bad things(tm) happen (even more).
By the way. Congratulations, the professional anti-Google scaremongers found a semi-reasonable point to criticize. Well done.
And just enough off-center from the real problems not to bother your Corporate Overlords, nice.
The obvious thing to do when you cannot protect people is help them defend themselves (martial arts, gun wielding, etc.)
The safe choice would be recommend to users not to use real names, to protect themselves from evildoers. But no, they had to enforce he requirement for people to use real names (because there could be a terrorist among us).
Now, maybe I'm dumb -- but even I know a terrorist would lie about his name -- while normal non-aggressive dudes think they can be honest and say the truth, because they haven't anything to hide.
So, the policy is give criminals a huge database of names (and locations!) to fetch potential victims or aliases. Mission accomplished!
With people that wise in government, I guess the US really doesn't need enemies.
Would it have killed all the "security researchers" who wrote or compiled all the articles behind all the links in this story to maybe list the apps that have been found to have trojans?
I mean, Android users might find that information useful and it might actually help minimize the damage from these apps.
Right now, it's like a news story that tells us "Three common home products have been proven to cause deadly forms of cancer" without mentioning which products they are.
You are welcome on my lawn.
"Well, if you are into the whole social network hype, you kind of deserve to get tracked and ripped off. You basically asked for it yourself."
And if you got a telephone, you deserve to be called by telemarketers and scam artists. And if you got a car you deserve to be carjacked. And if you have electricy you deserve to be electrocuted.
You basically asked for it yourself. Those are all possible consequences of choosing those products.
Stay in your luddite cave and disconnect. Toodles.
Getting "downmodded" for it rampantly by offended "penguins" no doubt: ANDROID's @ the "top-of-the-food-chain" on smartphones, & what happens then? YOU GET ATTACKED!
* It's no different than what has happened to Windows for decades now really - once you're the "top dog" (most used/biggest market-share)? You're going to be "targetted for termination!"
I use this analogy here a lot in regards to it:
Malware maker of today, are criminals (not just kids in their basement doing it for shits & giggles) - they're after your monies &/or personal information (like Credit Card #'s, which is of course again, your "$"):
They're just like pickpockets (my fav. to compare them to) - They don't go after OS's that aren't widely used, and avoid ones that "techno geeks" use on PC's (like Linux, which also gets the benefits of "least used" in 1 respect - 'security-by-obscurity' thru lower marketshare/usage on PC's)...
They go where the LARGEST #'s of folks are, & especially "non-techie" types: Smartphones = ANDROID (like for PC's its Windows).
That yields a BIGGER/BETTER "ROI" in terms of time put in for creating their malwares (which, on an 'educated guess' from building freeware/shareware on the side myself for many years ontop of work-related duties in the past, is about 1 month tops) - So, they attack ANDROID like mad!
Linux derivant or not, it's also PROOF that even Linux != invulnerable (despite YEARS of hearing that on /. along the lines of "Linux = Secure & Windows ! = Secure)).
APK
P.S.=> It was BOUND TO HAPPEN, & here 'tis folks... too bad, because ANDROID's pretty nifty stuff on smartphones, but in a way (making lemonade outta lemons)? It's NOT BAD: Simply because these malware makers are THE BEST "R&D" THERE IS FOR ANDROID AS AN OPERATING SYSTEM - they point out where the "holes" are so that GOOGLE can "shore them up". Always a 'bright-side' in everything...
... apk
"Whatever critics may say about China, which is significantly more selective about the freedoms it allowss, complaints about crime aren't one of them"
Same reason their customer support is shit and your only point of contact really is a dumb messaging board service. Google, imo, isn't that bothered about looking after people.
Whenever I see an article dealing in malware, I have found that the BETTER ONES list actual IP addresses OR host-domain name lists for botnet C&C servers (which I add the ip addresses to my software firewall rules table in Windows via powershell & the host-domain lists to that AND my hosts file (for layered-security/defense-in-depth purposes).
* After all, you're "reading up" on the stuff, to GET pertinent information, & to me? I hear exactly what you're saying... it's NOT ENOUGH to say "there is malware here" but where it's coming from (or in your case, its name).
APK
P.S.=> To me? It's like getting ready to eat a good meal, only to find it has NO flavor (or I suppose for a better analogy for us both? No nutritional value..)
... apk
I don't think that anyone said that linux with a dumb user is secure. What was the point was back then you could install malware on a windows computer simply by connecting to it, loading a malformed picture, or any other number of things that even a smart user couldn't prevent.
Now how many of these apps can self install on an android phone without the owners knowledge? how is that any different that say, around the year 2000 when your mom/grandma/uncle/younger brother would just click and download and install any link/program they found on the internet? People really need to realize that these smartphones really are just tiny portable computers that happen to have phone programs installed by default, all the same things you have to do on your computer to keep it safe apply on them as well.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
Google's always been awful about not checking its ads for malware, so I see this as no big surprise. In my experience, the text links at the top of my Gmail page have been about 95% scam and malware sites, akin to the stuff I find in my spam box. (I've since installed a browser extension to disable such ads.) Google has thus shown a previous utter disregard for ensuring the sanitation of their profit centers, so I fully expect this new "app store" (no, I don't care that it's called "Google Play;" I'll call a spade a spade, thank you very much) will be much the same until Google gets sued or some such. (In other news, I seem to recall them being sued in Australia or the EU for their fraudulent ads.)
H'm the freedom to do whatever I want within the law. With the risk of something possibly going wrong.
Or
Being ruled with an iron fist. With little chance of anything going wrong. But no guarantee.
a) They'd have to have such a deal with all carriers for it to be feasbile
b) Not everybody *HAS* a carrier (think: tablets/wifi)
c) Who cares if the carriers have app stores?
I think that perhaps instead of carrier, you meant manufacturer? Even in that case you've already got the "amazon app store" etc though...
not at least doing automated scanning is irresponsible
How would you solve the Halting Problem to make automated scanning feasible?
"They're just like pickpockets (my fav. to compare them to) - They don't go after OS's that aren't widely used, and avoid ones that "techno geeks" use on PC's (like Linux, which also gets the benefits of "least used" in 1 respect - 'security-by-obscurity' thru lower marketshare/usage on PC's)... They go where the LARGEST #'s of folks are, & especially "non-techie" types: Smartphones = ANDROID (like for PC's its Windows)." - MYSELF -> by Anonymous Coward on Saturday April 14, @06:16PM (#39688889
I don't call them "dumb" though - just ignorant of things online... innocents really, when you come right down to it.
* Hence, the boldes portions of the quotation above... Again though, on malware makers (even though they're misguided thieves & scum basically): They DO show GOOGLE (& perhaps even the Penguins crew that maintains & codes Linux itself) where the holes are, or potentials for them, & gives them impetus + perhaps even ideas how to "shore them up"...
AND?
I *think* you're going to like THIS:
"you could install malware on a windows computer simply by connecting to it, loading a malformed picture, or any other number of things that even a smart user couldn't prevent." - by cynyr (703126) on Saturday April 14, @07:53PM (#39689545) Homepage
This 'smart user' can, even on Windows (modern Windows, that is, even running as admin & it's only about 5 minutes time to setup really).
I run as a member of the "administrator class" users, but in a special "limited administrator class" (what I call it @ least) type user!
Just like you see on how MacOS X makes you LITERALLY "login" to install apps, like it or not.
So, how to stop ME, from screwing myself on taking chances on messing up as you state?
Even when the crap might be trying to install without me realizing it, say, invisibly??
This is how, & it works - So, yes, just like MacOS X does it?
It can be done on Windows, and I am honestly surprised it's not (especially when running as admin, vs. what you noted above, because this? This stops that kind of crap, even when running as admin):
The settings to examine & change are as follows in gpedit.msc &/or regedit.exe:
---
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account
OR
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken
(Set as ENABLED)
---
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
OR
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
(Set as PROMPT FOR CREDENTIALS)
---
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users
OR
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorUser
(Set as Automatically deny elevation requests)
---
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation
OR
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableInstallerDetection
(Set as ENABLED)
---
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations
OR
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v EnableSecureUIAPaths
(Set as ENABLED)
---
"It's almost like they were built specifically to share information"
I see, so you think that because they're built to share SOME information with SOME people when under MY permission, that this is some sort of blanket right to grab all my contact details and upload them to their servers to use as they will?
There are two parties involved in a conversation, and they don't even really have 1 of those peoples permission to grab that contact detail. Just because I consented to Bob having my private telephone number, doesn't mean I granted Mark Zuckerberg the right to that data and Bob cannot give permission on my behalf and didn't anyway.
I'm not sure why this has quickly devolved into a discussion over whether Android or Apple is less safe in regards to the apps available for it. A far more useful discussion would be how can we as end users protect ourselves from these practices. I like to think I'm a cut above the average person (not necessarily the average slashdotter) by being somewhat selective about the apps I install, paying attention to the permissions they request, and running an iptables based firewall to whitelist the apps that I allow network access to. Even with that though I can't claim to be immune to downloading an app that has some malware on the backend. I've resisted the idea of antivirus/antimalware programs so far as I find that my phone's resources are quite limited enough as is. I'm not all that concerned about premium SMS either as I run a prepay sim with no extra funds on it. Can anyone point out any other obvious practices I may be missing?
It's about time Google is getting serious competition from competitive android distributions. I for one would like very much to be able to store my data on non-google servers (preferably my own) and use a competitors apps store that is trustworth and not laden with (google) ads. It works for Linux, it should work for Android. It's about time we separated the software from the hardware and the service providers. Anti competitive pacts like the US phone companies almost certainly seem to be having should be looked into. It's virtually impossible to get a decent phone separate from an affordable plan there, even tho there will be plenty of people wanting to just purchase a phone and get a cheap plan with it, that suits their needs. This is all a tinfoil hat size of a conspiracy that seems to be going on between the phone vendors and the operators, making free choice for buyers impossible.
I was promised a flying car. Where is my flying car?
What would outright suck however is Google becoming more like other stores and putting a delay between upload and release. I LIKE the fact that I can rapidly upload updates to my apps. There have been occasions where I've turned around an update in under 30 minutes. If I tried to turn around a fix on any other store, e.g. Amazon's or the Blackberry store I'd be looking at the better part of a week for an update to appear. I have no idea what the hell they do in that time but somehow I doubt they're looking for malware or would be capable of spotting it even if it were there.
The old "those who trade freedom for security, soon have neither" springs to mind.
Because believe it or not, iOS and OSX are not immune to malware, virusses and trojans. They just are more hidden, so that when it happens, their users are less prepared for it.
Android is open, anyone can make an app. It is a free market. Apple is closed, your app has to be be vetted. It is a closed market. Closed markets are ALWAYS easier and safer then free markets. But the vetting takes place outside your control and you never can tell in advance when it will turn out to be harmful. Take Sony refusing to allows multiplayer for ME3. The windows platform for that game could never have such a blockage. But then, there is zero quality control for Windows games.
You just got to search the Android market to see a LOT of crap, not just malware but apps that are valid enough as code but the idea they try to push is a scam itself. Pyramid schemes, credit rating boosters, signal, battery, memory boosters. But these same applications exist for Windows. They do NOT appear on the game consoles. But what do you rather have? The save walled garden or the free wilderness?
To be honest, most of the time the save walled garden. It is just easier and live is already to complicated. The sad thing however if you are in that walled garden to long, the wilderness might have disappeared and you no longer have an option.
Think Amazon destroying the physical bookstore so that when they next delete a book, there is nowhere else to get it. If Apple owned 99% of the market, there would be no more malware. But what then would be defined as malware would be Apples definition and not yours. And I don't like that idea one bit.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
First of all, why do people feel the need to point out issues in Apple products _every_ time there is an article about Android? So, this is the thing. The Andy Rubin hypocrite loves to put carriers (not users) first, and that is his top priority. That's what the asshole is talking about every time he says the word "ecosystem", which is about 1000 times every hour.
These idiots insist on having a minuscule team and will make it as difficult as possible for anyone from the outside to contribute and help them. They exist inside of Google but have very little contact with the rest of the company and almost nobody in engineering likes them, particularly the Rubin asshole.
The obvious solution to this is for the Android team to really focus on the user, the user, not the carrier. Stop wasting time on shit nobody cares about like new fancy filters for the camera and focus on the real problems. Also, the SDK is a fucking joke.
--
Disclaimer: I work for TAGA (The Arrogant Google Assholes)
The problem is "security" companies who make "proof of concept" code and release it into the wild . Instead of helping the companies with which they've found the flaw. This reminds me of the mob asking for protection money they release the code then they say look look android isn't secure UNLESS you buy our product.
I'm still chatting with my Nokia 8250. No, seriously, I do.
Your preinstalled HTC Facebook app harvests it.. whether you use it or not. Or even agreed to this.
Um, I don't know about your phone, but my HTC Sensation doesn't have any pre-installed Facebook apps that I could find. It has some crappy "Friend Stream" widget that you can install on one of your main screens if you choose, but that's not set up by default, and it only runs if you install it (it's a widget, not an app). I never installed mine, so it never runs. Besides, to allow it access to your Facebook account, you have to actually configure the widget with your FB account info. It can't magically figure out your FB username and password.
That's the thing. Practically none of the malwares that have been reported have been widespread (50,000-100,000 cumulative infected installs, none of which are currently available on the Android Market. All of these malwares can be uninstalled by going through the standard uninstall procedure. All of these malwares also require the user to consent to such permissions as "SERVICES THAT COST YOU MONEY / Send SMS".
Avast for Android.
A/V, malware scanning, limited firewall, and theft protections.....
I use it on every device.
"Now how many of these apps can self install on an android phone without the owners knowledge?" -
On ANDROID? Here's an example of it:
http://www.theregister.co.uk/2010/11/10/android_malware_attacks/
* So please: DON'T EVEN TRY TO MAKE IT SOUND LIKE "IT CAN'T HAPPEN ON ANDROID", because it clearly can, and ANDROID (thus Linux) IS NO MORE SECURE THAN ANY OTHER OS!
Linux just has less users (Linux on the desktop) WHICH IS WHY IT'S NOT TARGETTED AS MUCH (not as much "ROI" for the malware makers attacking 1% of the total market when roughly 94% of it is on Windows & 5% is on MacOS X).
APK
P.S.=> PERTINENT QUOTE/EXCERPT FROM THE ARTICLE LINK ABOVE:
No permissions necessary
By Dan Goodin in San Francisco â Get more from this author
Posted in Malware, 10th November 2010 22:09 GMT
"Researchers have disclosed bugs in Google's Android mobile operating system that allow attackers to surreptitiously install malware on users' handsets."
"The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an expansion for the popular game Angry Birds, it silently installs three additional apps that without warning have access to a phone's contacts, location information and SMS functionality and can transmit their data to a remote server."