Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Malicious Apps Found On Google Play

Posted by Soulskill on from the if-you-built-it-they-will-come dept.

suraj.sun writes "We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

22 of 143 comments (clear)

  1. Except by Anonymous Coward · · Score: 4, Insightful

    >complaints about malware aren't one of them
    So the ones that raid your contacts and send the information to persons unknown are fine?

    1. Re:Except by devleopard · · Score: 3, Insightful

      I've never seen or installed such an app on my iOS devices. I'm sure if I spent some time searching the Slashdot archives, there'd be at least one article; I'm sure the apps do exist. (And are no longer on the app store today). However, these articles about Android malware are weekly, or more often. Google needs to shut it all down, and then relaunch Play where all apps are properly vetted.

      Would that destroy the "freedom" concept? Maybe, but such an idea just doesn't work. Would you run any random Windows app on a Windows machine without an antivirus? Android has a massive smartphone share, and it's thusly going to be targeted. Imagine a 1997 where 40% or more all computers sold came with Mac OS or Redhat. Do you think that today we'd know those platform as untargeted by malware? Of course not. Either Google needs to lock things down, or we'll start seeing Norton or McAfee on the phones within the year.

      --
      The best thing about a boolean is even if you are wrong, you are only off by a bit.
    2. Re:Except by Cute+Fuzzy+Bunny · · Score: 3, Informative

      Yep, that was the funny part of the article. "Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

      But one of them would be that the assertion is ridiculously incorrect.

      Even weak google-fu turns up this, among many...
      http://nakedsecurity.sophos.com/2011/11/08/apple%E2%80%99s-app-store-security-compromised/

      Why do apple people think their products and services are malware proof, even though anyone with a self respecting brain capacity would know its not true in theory or in practice? Is that why they pay twice as much for stuff?

    3. Re:Except by PNutts · · Score: 5, Insightful

      >complaints about malware aren't one of them
      So the ones that raid your contacts and send the information to persons unknown are fine?

      No, but who could have imaged the apps below would harvest your contacts! It's almost like they were built specifically to share information.

      Foursquare
      Path
      Instagram
      Facebook
      Twitter for iOS
      Voxer

    4. Re:Except by BasilBrush · · Score: 4, Insightful

      You finding an example of malware doesn't disprove the assertion that people are complaining about malware on the iOS App Store. Just as finding one criminal in the country's safest town wouldn't mean people are complaining about crime there.

      iOS App Store has a minuscule amount of malware compared to it's size. There's orders of magnitude more malware on the Android stores.

    5. Re:Except by BasilBrush · · Score: 4, Informative

      So the ones that raid your contacts and send the information to persons unknown are fine?

      Clearly not. But they are many times less bad than the Android one described that is costing you serious money by sending premium-rate SMSs.

  2. It drives me crazy by Reed+Solomon · · Score: 4, Insightful

    Why can't they offer a vetting process for apps? Not everything needs the "Google seal of approval", but having a google verified or trusted apps icon appear on an app might alleviate some of the problems, or at least the perception of the google market store (I can't call it google play store, it's just stupid) being a haven for malware and cheap ripoffs.

    In fact, this could be a policy that a third party app store could institute. It would be interesting to see it happen, as they could potentially become more popular than Google's own store.

    1. Re:It drives me crazy by alostpacket · · Score: 4, Interesting

      AFAIK, contrary to popular belief Google does not make much off of app sales. That money goes to the user's carrier. Rumor has it this was a back-room deal in the early days of Android to prevent carrier app stores (which were terrible back in the BREW days).

      --
      PocketPermissions Android Permission Guide
    2. Re:It drives me crazy by Microlith · · Score: 3, Insightful

      That's meaningless for the problem at hand, which is that Google's own store is being used as a vector for malware. Google pressing a bit harder on app developers to prevent their store being a hazardous place would have no impact on the openness of the platform.

  3. Happening on App Store too by chrb · · Score: 5, Insightful

    "some of App Store's shiniest celebrities are among those that beam away your contact list in order to make hooking up with other friends who use the app smoother. " http://m.gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it

    1. Re:Happening on App Store too by chrb · · Score: 5, Informative
      It's the same problem. From ArsTechnica:

      "Google has removed at least 15 Android apps from its official Play market after receiving outside reports they were malicious trojans that siphoned names, telephone numbers of email addresses of every person in the phone's contact list.

      ..In the background and without warning, they also obtained the phone number and a unique identifier of the infected device and sent the information in clear text to a remote server under the control of the software developers. "

      Which is exactly what some iOS apps are also doing. This is not an Android specific problem.

    2. Re:Happening on App Store too by gstrickler · · Score: 3, Informative

      5 of those 6 apps listed give you a warning and/or choice before they touch your contacts. Path is the only one that does it without your consent.

      I only have one of those 6 installed (FB), and I did not give it permission to access and synchronize my contacts, and I never will.

      As others pointed out, comparing that to malware is more than a stretch. You could make a case for Path qualifying because it did so without notification or consent. At most, that's one app that qualifies. Even if you do count it as malware, comparing it to malware that sends SMS messages that cost you money is absurd.

      If you want to point out malware on iOS, you should point to the 2-3 actual cases of malware that have been found in the App Store over the years, not 5 applications that notify you they're going to access your contacts.

      --
      make imaginary.friends COUNT=100 VISIBLE=false
  4. Permissions by pd0x · · Score: 3

    I think it's worth noting that the new malicious applications found by McAfee researchers were video trailer applications that overtly requested the READ_PHONE_STATE and READ_CONTACTS permissions at install time.

    While it's clear that users have limited comprehension of the permissions requested at install time (for instance see: Android Permissions: User Attention, Comprehension, and Behavior) it is rather suspicious that a trailer application require access to your contact list. From the sounds of it the malware doesn't do much other than siphon off your contact list & some identifying information (Android ID & phone number).

    Should it be removed from the Android market? Yes. Is it the best example of subversive Android applications? Probably not.

    1. Re:Permissions by alostpacket · · Score: 4, Informative

      You don't need a permission to read the Android Device ID, however READ_PHONE_STATE gives them access to the ESN, MEID, IMEI, IMSI etc...

      The other worrisome problems with that permission are that:

      1) It is granted by default for any apps targeting 1.5 or below, and the user is not warned about it.

      2) It also allows some access to see incoming and outgoing numbers when a call is taking place.

      --
      PocketPermissions Android Permission Guide
    2. Re:Permissions by pd0x · · Score: 3, Interesting

      It seems that a good number of apps do this to "find friends" using the app. It would certainly be much better if upon app installation your associated account e-mail was hashed using SHA256 (or some alternative hashing algorithm) and stored by the service. Rather than upload a users entire contact list the apps could then submit hashes of contact e-mail addresses looking for matches without being able to identify users not using the service in question.

    3. Re:Permissions by Electricity+Likes+Me · · Score: 3, Insightful

      Actually the real problem is you can't hit "no" and continue with the installation.

      Knowing what an app wants to do is one thing, but it doesn't tell me whether it's actually malicious. Getting an intelligent list of what it tried to do would help. Being able to tell my tablet to disallow or just lie about certain things would help more though - i.e. prevent access to contacts data, or, better, pretend I don't have any contacts data.

  5. And Apple addressed it by daveschroeder · · Score: 3, Insightful

    Apple: App Access to Contact Data Will Require Explicit User Permission

    I guess you forgot that part.

    And the part about how these apps weren't "malware", irrespective of whether they were doing something previously allowable without explicit user permission.

    So it's not at all accurate to say that it's "happening on the App Store too".

    1. Re:And Apple addressed it by chrb · · Score: 4, Informative

      And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

    2. Re:And Apple addressed it by 93+Escort+Wagon · · Score: 5, Interesting

      And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

      Either you've never looked into this, or you're dissembling. I have an Android phone; and at the time an app is installed Android provides a somewhat generic list of all the things the app will have access to - there are usually a half dozen or so items on that list, and it would be very easy to overlook contact Info since it's somewhat buried among the generic stuff like phone state, network access, and so on.

      With iOS, when an app tries to access Contacts - you get a pop-up at that time telling you that and asking if it should be allowed. It's a dramatic improvement over what it used to be, and over what Android currently does.

      --
      #DeleteChrome
    3. Re:And Apple addressed it by Electricity+Likes+Me · · Score: 3, Interesting

      This, so much this.

      Telling me something wants a bunch of vague permissions is about as useless as the iPhone "This app may read private data" message, since pretty much everything wants to do that.

      What I want is to be able to see exactly what it's planning to do. If an eBook reader app wants SD cart access, maybe I want to only give it access to the "Books" directory on the card, since it has no reason to look anywhere else. If something wants full web access...well I'd like to prevent that, and then see if the app has any actual problems. Or I'd like to be notified about the hostname's being contacted and whitelist/blacklist them selectively.

      Of course, these aren't Android or even smartphone specific problems IMO - it's a problem with providing user security on every single platform in existence. No one's made it suitably simple to tell what an app is doing, or wants to do, and allow or deny that with reasonable, but not owerpowering, fidelity.

  6. Google gathering ripoff-artists by Jens+Egon · · Score: 3, Insightful

    Yes, there's a significant problem here.

    The problem is that Google does NOT like free apps. Google make their money from advertizing, and on Google Play they're actively hiding whether are apps paid for by advertizing. This means that FOSS is having a hard time there. And cheap rip-offs of various kinds are having a field day. Once a thriving community of rip-off artists have been gathered bad things(tm) happen (even more).

    By the way. Congratulations, the professional anti-Google scaremongers found a semi-reasonable point to criticize. Well done.

    And just enough off-center from the real problems not to bother your Corporate Overlords, nice.

  7. Re:When did the trolls start posting articles? by BasilBrush · · Score: 4, Funny

    I've seen a recent study (too lazy to search for it) that says that the Queen of England is a Lizard.