Slashdot Mirror
1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info
An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."
F-Droid is the open source store. Pleanty of good apps there that do just about anything you'd need an app to do, for free as in beer and free as in speach.
https://f-droid.org/
The total number of apps doesn't matter. The only stats worth anything involve the number of apps that are actually downloaded and run. There are thousands of useless or malware infested apps out there but are people really using them?
How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.
Fortunately the other 98.8% of apps are still able to deliver ads and collect your info in the manner intended by their original developers.
I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.
Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".
A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.
That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.
Avantslash - View Slashdot cleanly on your mobile phone.
Mozilla allows that, too. There's a slimeball company that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite. Users were very angry.
Mozilla's reaction? Mozilla's add-on policies prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ...
"These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."
The spyware was just fine with Jorge Villalobos, Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."
You can't trust the Mozilla Foundation any more. That's sad.
Fanboy much lately?
I wonder if the Amazon android marketplace has this issue. I wonder if anyone even cares.
There's the problem right there. It isn't possible to have 1 million apps that are actually useful. Not even close. Just that number alone tells you that there is a problem -- that you have an enormous number of apps that are simply duplicates of others or malicious or just plain useless.
Not a month goes by ...
* Without someone finding salmonella in a piece of chicken ...
* Without someone finding a defect in a new GM car
* Without someone's computer crashing
* Without someone finding a spelling error in a Slashdot post
Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?
Here is a decent graphic showing just what is being added to these repackaged applications.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
here is the original article in case anyone is interested. It goes into greater detail about the issues involved.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.
Google should be proactive about this (more so if they already are) because in a sense they are starting to become the Microsoft of mobile, with crap embedded and 3rd party apps.
I guess I have a winner for my "Who can fuck up Linux the worst" contest.
"If any question why we died, Tell them because our fathers lied."
A couple of simple things can be done to avoid phone malware.
1) Investigate the app before you install it. Click on the developer's web page and see if it looks legit. Read the reviews. Check to see that the permissions it's asking for have a legitimate purpose.
2) As TFA notes, most of these malware apps are free. Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.
3) In other words, remember that your phone is a computer. Don't take careless risks with your phone or tablet that you would never take with your desktop or laptop.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
How soon people forget there are still all sorts of places to get modified Windows toolbars and shit ass apps like bear share and the likes for free and most of them hose you and phone home to momma. Most likely it is the same crowd of assholes that are modding Android apps and including phone home features that did shit like bear share and all the other Windows crapware back in the 90's. I just wonder how many of the gambling and porn sites are distributing free shit apps for Android, most likely about the same number that include iPhone, iPad and Windows apps on their sites.
As long as there are ponzi scams like Linkbucks and largely Mafia run gaming and porn sites happening on the net you will have shitty apps that phone home or redirect. It is no surprise that they are targeting Android. Again it comes down to if the original source is not available DON'T TRUST IT and this includes any app that is free to use regardless of the OS. ESPECIALLY good apps that have been modified and redistributed by someone else and do not match the checksum of the original binary.
It is not that these assholes that write phone home apps don't still write crap for Windows, it is just that they are going after a much larger audience when they target Android devices. Google does need to get proactive and dump the bullshit apps from their store though.
Microsoft seems to be learning the lesson but because they are starting to really fall behind in the consumer device market we will not see many shit apps for Windows phone or RT. Naturally this does not mean that all the shit apps for x86 will disappear it is just that fewer and fewer older Windows devices are using the net and and the scamware writers are trying desperately to catch up with the usage curve which has swung decidedly toward Android. Last but not least most users have over the years been scared away from installing free apps off net on Windows and there is damn good reason for it! Crapware is a plague and the only answer is to expose the apps and remove them from the net if possible.
I have a friend that frequents gaming sites and regularly complains about how shitty his high end i5 laptop with Win7 runs, but the guy just does not understand how malicious the spyware from gaming sites can be. He even has tool bars with activeX which are installed for his gaming sites. I warn him but he just does not get it, but then again I would say he is addicted to gambling so perhaps he is having trouble seeing through his WINDOWS with the rose coloured glasses he wears.
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
repackaging apps to remove the (*&(*& advertising. But it would have been only for my own benefit.
Are there any good estimates on numbers of actual mobile infections out there?
Security firms press-releases all talk about numbers of malware app kinds detected, and most aren't even clear on where do they look and what constitutes malware in their definition.
The only prompt which should ever appear when installing an App is for owner to select a profile of permissions the owner of the device feels comfortable giving to the application. Once this decision is made operating system is expected to do whatever is necessary to sell the lie that Rumpelstiltskin at 7185551212 is my only contact, my current location is the South Pole and my phone number is 1-900-909-4300.
The problem is none of the current cast of characters - not Microsoft, Google, Apple give a shit about the user they only care about profits which is why the user is always allowed to be treated like shit. Their days of owning the mobile OS space are numbered.
From the tone of the article this sounds scary!
But really, 1.2% Come on! That's tiny! 1.2% tells me Google is doing a pretty good job!
Repackaged versions of real apps? Oooooh... scary! If you see a second copy of an app, especially one with worse ratings, or a free app with a different author than the same paid app.. DON'T INSTALL IT. Duh!!
SourceForge?
The "best you got" = unjustifiable downmods? You've got zero... & you know it, I know it (as does anybody else reading with 1/2 a brain).
* To top that off, others will see it anyhow (bet THAT just "breaks your heart", doesn't it?)... It's been up for nearly 3 hrs. anyhow - you're TOO LATE anyhow!
Yes, folks: It truly makes me laugh - just SEEING you "struck speechless" thus!
(You, with NO VALID on topic critique to disprove the points I made on the value of hosts in added speed, security, reliability, & even anonymity (to an extent on the latter) - only technically unjustified downmods, nothing more, lol!).
I love it...
APK
P.S.=> Well, that's fine by me, since You're only making me STRONGER each time you fools bogusly downmod my posts on hosts (you know that, don't you?) & yet you can't offer ANY valid technical critique vs. my points
... apk
This means that I blindly need to install about 100 apps in order to get one or two that are "malicious". If some effort is invested in judging the legitimacy of the apps, then all 100 installs will probably turn out to be ok. This sounds pretty fine to me.
Perhaps the Android garden doesn't need a wall, but it could really use a full time gardener
Was it paranoiod android or cyanogenmod that had a system in which it gave these apps fake info and sandboxed them ....The apps installed but privlidges revoked?
Apps are a cesspit of cheap wares, flashy icons, and dubious peddling of every description. The app stores most resemble the cheap ads section of tabloid newspapers, and may as well have LET THE BUYER BEWARE and similar slogans etched in 50 foot high letters over the entrance.
There is no quality control for apps, no guarantees, no trust, no reliability, and in the vast majority of cases, no useful purpose. If this is the future of the software industry, then the software industry has no future.
If I wanted to go back to the dark days of late 1990's freeware, I would have asked.
May the Maths Be with you!
You really think that works? I sell Android Open Source by the GPL rules: legitimate customers can request the source code — but nobody ever does. I do mention it. It is not a hidden secrete. Still no one is interested.
And on the other side I don't expect donation to flow in if I used that site. Once the average user has his App he is not interested either in source or donations.
I for one continue to use the GPL allowance to sell the binary and only give away bare source for fee.
You have to remember the internet safety rules though. We all know them. If an app has a piss poor rating don't use it, that's the same system we use everywhere. If the app is acting shady don't use it. If shady stuff happens after you install the app don't use it. And always clean your machine afterwards.
That said, I wonder what percent of the apps on the playstore are *legitimately* using adware and collecting information, like facebook kik and the play store itself. I suppose it's only illegit if the app is distributed by pirates.