Slashdot Mirror
Android Hackers Honing Skills In Russia
MikeatWired writes "The malware business growing around Google Android — now the leading smartphone operating system — is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. Sophos and Symantec on Wednesday released their latest Android malware discoveries written in Russian. While the language narrows the number of potential victims, the social-engineering tactics used to get Android users to install the malware is universal. The gang tracked by Sophos is using fake antivirus scanners, while Symantec is tracking cybercriminals using mobile websites to offer bogus versions of popular games. Sophos says the criminals are like other entrepreneurs launching startups. They're starting in Russia, but have far greater ambitions. 'I don't think we can say that they're necessarily using it as a testing ground — think of it more as a local business that as it grows may gain multinational ambitions,' Graham Cluley, senior technology consultant at Sophos, said in an email interview on Wednesday. The cyber scam tracked by Sophos was reported this week by GFI Lab, which discovered links to the bogus antivirus software on Twitter. Sophos dug deeper and found that the .ru domains pointed to the same Internet protocol address hosted in Ukraine."
With android isn't it just easier to write a legitimate app and just rake in the cash? I don't see the reasoning behind going through all the extra effort, the money laundering, etc.
Help stamp out iliturcy.
With android isn't it just easier to write a legitimate app and just rake in the cash?
HA HA HA HO HE HA HA HA HA.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your desktop likely has the same malware problems any android phone will have. Why? It's not a walled garden. Well, android is in a sense more of a walled garden than your desktop, however not nearly as much of one as iOS/WP. Android virus infections are the result of a pebkac, and nothing more. In other news, I was originally going to make a soviet Russia joke.
Feel free to mod me down, just know that unlike some Anonymous Cowards I'm not afraid to express my views as myself.
Unfortunately I agree. I used to love Android when it was at version 2.x but I have since been using an iPhone (provided by my employer). Now that I have seen all the malware floating around the Android Market, I don't think I will go back. I'm not anti-Google. I use a lot of Google services and I'm not one of those privacy concerned people. But I do care about installed crap software on my devices whether it be a phone of a computer.
This is possible on Android because you can install software from anywhere, including Google's Play marketplace, Amazon and other places, or just side-loading apk files. Google's market is affectively malware-free, although the occasional software may pop up again in the future there because they don't have an extremely intrusive evaluation process. Maybe they, or someone else should create one. This is the price you pay for freedom ... you're not trading for security. This is not an anti-Google story.
That said, yes, there are a lot of anti-Google stories, far more than there are for those that are the most likely for funding them (FaceBook was caught before, but I think there are others as well). They will eventually be caught, and the vast majority of the population will ignore the news, just like the vast majority ignore the anti-Google stories and continue to fund pooly behaved companies based on trends, fashion, and advertising.
PEBKAC isn't really relevant in this context. In any case if you for whatever reason want your phone to be as open as your computer then you need to take those extra precautions of a non-locked down system, if you choose a walled-garden approach instead you don't have to concern yourself with such things nearly as much...but that's the great thing about the choice of mobile platforms in today's market.
How many times have you Android phone been infected?
Android's biggest malware problem is users who intentionally went in and set WALLED_GARDEN=OFF so they could install warez.
Yes, Google's app store has some crappy policies which let malware slip through, but most of it is users bringing it on themselves.
I've made over $5K off a single live wallpaper.
That's nice.
How much have you made on iOS?
More, but it's really crude to bring up specifics.
As a consultant you can do pretty well in either space, but if you are trying to sell an app for money you are going to do better (much better) on iOS still. That's regardless of genre...
But my reaction was really platform neutral. You cannot simply "whip something up" as the OP seemed to imply, and get rich the way the guys with the exploits are getting rich off burgled CC details and the like.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I agree. Human behavior is a valid engineering problem, and reducing certain functionality to get around it for certain situations is a valid engineering tradeoff. A problem is a problem, keyboard and chair are irrelevant. Apple would rather deal with angry geeks who scream about freedom and openness and who like most geeks have no functional concept of engineering tradeoffs than have dimitri and olga kill somebody because they intentionally (or even worse, accidentally) disabled 911 access when they tried to pwn someone's Android device through the pirated copy of Hot Nude Bolshevik Solitaire the user downloaded from Leonid's Spice Dicey Back Alley Appstore.
android hacks YOU
Problem is, people want phones - something they can pick up and play with immediately. Not think about it nor have antivirus/antispyware software installed and running as well like their PCs.
Plus, with all the coolness surrounding apps, you have the Dancing Pigs problem - people just want to go to the app store or market, click download and get going on that cool app. It's why sites all have direct links to the stores, or QR codes to scan - to get that app in the user's hands ASAP. As a result, they're not going to look at stuff like permission lists and such because that's just getting in the way of running the app.
Hell, ICS made it even easier to install apps without seeing the permission list - tap install and it takes you to the permission screen, but the install button is near the top and the permissions at the bottom. Users are more likely to just tap "download" rather than pull their eyes down and over the permission list.
Of course, the other thing is, Android makes it easy to sideload apps, so people love searching Bittorrent for new apps...
The issue is Android's permission system is all technical wonkery and doesn't map well onto actual human use cases.
For example, you could have a perfectly legit app which needs Internet access (why not?), and address book access (for sharing functions), but you still have no idea if they could/would sell upload your contacts and sell them to spammers. Not to mention all Android apps ask you for these permissions, even Google's apps.
Android permissions is what you get when you ask computer scientists to solve what is essentially a legal and 'trust' problem that requires some human judgement. This is a very difficult problem to solve, but "users don't understand permissions" is not really the problem.
Business. Numbers. Money. People. Computer World.
Alright, but you see, you can turn that off on any system. See, people jailbreak their iPhones too. I have no experience with WP but there must be a way. My point is, the malware problem actually goes deeper than these shallow observations.
Companies, like Apple, Google, Microsoft have their spyware already in place, and most of the people don't bother at all. So what difference does it make, if you let other people spy on you?
It is about the mindset of the user. Walled garden is the worst solution to this problem because while you leaving behind the "wild-west" of untrusted sources of software, in practice you just give the control of your device over to an other profit-driven company.
Instead, we should "empower" the user with the knowledge and control over their devices and the rest is their making. If someone is stupid enough to download whatever application is offered, they will learn on the hard way.
The android problem has nothing to do with the fact the kernel is Linux. Linux based operating systems are tend to be secure because there's a community maintained software repository accompanied to them. Most of the software can be review by anybody because the source code is available. Also, you are completely in charge of your computer if you're choosing the right distro. Android is partially open only, and Google Play don't have the same approval mechanism like the Debian's repository. Once we get some Debian alike distro on our mobiles, we can say that we have a secure operating system on our mobile devices.
Can't we get both? I mean, freedom to have complete control over our devices and only trusted applications running on it? For me it sounds like it was the same problem: Apple is not a trusted company. Neither is. But me, as a geek, I'm trusted already by my friends and family to fix their fucked up devices. So for the same reason, the software I use, should be trusted by them. Can't we build repositories based on trusted social connections, rather than profit-driven business entities?