Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Malicious Apps Found On Google Play

Posted by Soulskill on from the if-you-built-it-they-will-come dept.

suraj.sun writes "We've seen quite a few Android malware discoveries in the recent past, mostly on unofficial Android markets. There was a premium-rate SMS Trojan that not only sent costly SMS messages automatically, but also prevented users' carriers from notifying them of the new charges, a massive Android malware campaign that may be responsible for duping as many as 5 million users, and an malware controlled via SMS. Ars Technica is now reporting another Android malware discovery made by McAfee researcher Carlos Castillo, this time on Google's official app market, Google Play, even after Google announced back in early February that it has started scanning Android apps for malware. Two weeks ago, a separate set of researchers found malicious extensions in the Google Chrome Web Store that could gain complete control of users' Facebook profiles. Quoting the article: 'The repeated discoveries of malware hosted on Google servers underscore the darker side of a market that allows anyone to submit apps with few questions asked. Whatever critics may say about Apple's App Store, which is significantly more selective about the titles it hosts, complaints about malware aren't one of them.'"

12 of 143 comments (clear)

  1. Except by Anonymous Coward · · Score: 4, Insightful

    >complaints about malware aren't one of them
    So the ones that raid your contacts and send the information to persons unknown are fine?

    1. Re:Except by PNutts · · Score: 5, Insightful

      >complaints about malware aren't one of them
      So the ones that raid your contacts and send the information to persons unknown are fine?

      No, but who could have imaged the apps below would harvest your contacts! It's almost like they were built specifically to share information.

      Foursquare
      Path
      Instagram
      Facebook
      Twitter for iOS
      Voxer

    2. Re:Except by BasilBrush · · Score: 4, Insightful

      You finding an example of malware doesn't disprove the assertion that people are complaining about malware on the iOS App Store. Just as finding one criminal in the country's safest town wouldn't mean people are complaining about crime there.

      iOS App Store has a minuscule amount of malware compared to it's size. There's orders of magnitude more malware on the Android stores.

    3. Re:Except by BasilBrush · · Score: 4, Informative

      So the ones that raid your contacts and send the information to persons unknown are fine?

      Clearly not. But they are many times less bad than the Android one described that is costing you serious money by sending premium-rate SMSs.

  2. It drives me crazy by Reed+Solomon · · Score: 4, Insightful

    Why can't they offer a vetting process for apps? Not everything needs the "Google seal of approval", but having a google verified or trusted apps icon appear on an app might alleviate some of the problems, or at least the perception of the google market store (I can't call it google play store, it's just stupid) being a haven for malware and cheap ripoffs.

    In fact, this could be a policy that a third party app store could institute. It would be interesting to see it happen, as they could potentially become more popular than Google's own store.

    1. Re:It drives me crazy by alostpacket · · Score: 4, Interesting

      AFAIK, contrary to popular belief Google does not make much off of app sales. That money goes to the user's carrier. Rumor has it this was a back-room deal in the early days of Android to prevent carrier app stores (which were terrible back in the BREW days).

      --
      PocketPermissions Android Permission Guide
  3. Happening on App Store too by chrb · · Score: 5, Insightful

    "some of App Store's shiniest celebrities are among those that beam away your contact list in order to make hooking up with other friends who use the app smoother. " http://m.gizmodo.com/5885321/how-iphone-apps-steal-your-contact-data-and-why-you-cant-stop-it

    1. Re:Happening on App Store too by chrb · · Score: 5, Informative
      It's the same problem. From ArsTechnica:

      "Google has removed at least 15 Android apps from its official Play market after receiving outside reports they were malicious trojans that siphoned names, telephone numbers of email addresses of every person in the phone's contact list.

      ..In the background and without warning, they also obtained the phone number and a unique identifier of the infected device and sent the information in clear text to a remote server under the control of the software developers. "

      Which is exactly what some iOS apps are also doing. This is not an Android specific problem.

  4. Re:Permissions by alostpacket · · Score: 4, Informative

    You don't need a permission to read the Android Device ID, however READ_PHONE_STATE gives them access to the ESN, MEID, IMEI, IMSI etc...

    The other worrisome problems with that permission are that:

    1) It is granted by default for any apps targeting 1.5 or below, and the user is not warned about it.

    2) It also allows some access to see incoming and outgoing numbers when a call is taking place.

    --
    PocketPermissions Android Permission Guide
  5. Re:And Apple addressed it by chrb · · Score: 4, Informative

    And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

  6. Re:When did the trolls start posting articles? by BasilBrush · · Score: 4, Funny

    I've seen a recent study (too lazy to search for it) that says that the Queen of England is a Lizard.

  7. Re:And Apple addressed it by 93+Escort+Wagon · · Score: 5, Interesting

    And how is that solution different from Android? Android already requires users to authorize apps to read contact details, the problem is that most people don't care. These Android apps are being called malware because they upload the contacts list without permission, which is exactly the same as many ios apps do.

    Either you've never looked into this, or you're dissembling. I have an Android phone; and at the time an app is installed Android provides a somewhat generic list of all the things the app will have access to - there are usually a half dozen or so items on that list, and it would be very easy to overlook contact Info since it's somewhat buried among the generic stuff like phone state, network access, and so on.

    With iOS, when an app tries to access Contacts - you get a pop-up at that time telling you that and asking if it should be allowed. It's a dramatic improvement over what it used to be, and over what Android currently does.

    --
    #DeleteChrome