Slashdot Mirror
1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info
An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."
F-Droid is the open source store. Pleanty of good apps there that do just about anything you'd need an app to do, for free as in beer and free as in speach.
https://f-droid.org/
The total number of apps doesn't matter. The only stats worth anything involve the number of apps that are actually downloaded and run. There are thousands of useless or malware infested apps out there but are people really using them?
How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.
I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.
Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".
A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.
That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.
Avantslash - View Slashdot cleanly on your mobile phone.
Mozilla allows that, too. There's a slimeball company that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite. Users were very angry.
Mozilla's reaction? Mozilla's add-on policies prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ...
"These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review."
The spyware was just fine with Jorge Villalobos, Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."
You can't trust the Mozilla Foundation any more. That's sad.
I wonder if the Amazon android marketplace has this issue. I wonder if anyone even cares.
There's the problem right there. It isn't possible to have 1 million apps that are actually useful. Not even close. Just that number alone tells you that there is a problem -- that you have an enormous number of apps that are simply duplicates of others or malicious or just plain useless.
Not a month goes by ...
* Without someone finding salmonella in a piece of chicken ...
* Without someone finding a defect in a new GM car
* Without someone's computer crashing
* Without someone finding a spelling error in a Slashdot post
Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?
Here is a decent graphic showing just what is being added to these repackaged applications.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
here is the original article in case anyone is interested. It goes into greater detail about the issues involved.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.
Google should be proactive about this (more so if they already are) because in a sense they are starting to become the Microsoft of mobile, with crap embedded and 3rd party apps.
I guess I have a winner for my "Who can fuck up Linux the worst" contest.
"If any question why we died, Tell them because our fathers lied."
A couple of simple things can be done to avoid phone malware.
1) Investigate the app before you install it. Click on the developer's web page and see if it looks legit. Read the reviews. Check to see that the permissions it's asking for have a legitimate purpose.
2) As TFA notes, most of these malware apps are free. Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.
3) In other words, remember that your phone is a computer. Don't take careless risks with your phone or tablet that you would never take with your desktop or laptop.
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
How soon people forget there are still all sorts of places to get modified Windows toolbars and shit ass apps like bear share and the likes for free and most of them hose you and phone home to momma. Most likely it is the same crowd of assholes that are modding Android apps and including phone home features that did shit like bear share and all the other Windows crapware back in the 90's. I just wonder how many of the gambling and porn sites are distributing free shit apps for Android, most likely about the same number that include iPhone, iPad and Windows apps on their sites.
As long as there are ponzi scams like Linkbucks and largely Mafia run gaming and porn sites happening on the net you will have shitty apps that phone home or redirect. It is no surprise that they are targeting Android. Again it comes down to if the original source is not available DON'T TRUST IT and this includes any app that is free to use regardless of the OS. ESPECIALLY good apps that have been modified and redistributed by someone else and do not match the checksum of the original binary.
It is not that these assholes that write phone home apps don't still write crap for Windows, it is just that they are going after a much larger audience when they target Android devices. Google does need to get proactive and dump the bullshit apps from their store though.
Microsoft seems to be learning the lesson but because they are starting to really fall behind in the consumer device market we will not see many shit apps for Windows phone or RT. Naturally this does not mean that all the shit apps for x86 will disappear it is just that fewer and fewer older Windows devices are using the net and and the scamware writers are trying desperately to catch up with the usage curve which has swung decidedly toward Android. Last but not least most users have over the years been scared away from installing free apps off net on Windows and there is damn good reason for it! Crapware is a plague and the only answer is to expose the apps and remove them from the net if possible.
I have a friend that frequents gaming sites and regularly complains about how shitty his high end i5 laptop with Win7 runs, but the guy just does not understand how malicious the spyware from gaming sites can be. He even has tool bars with activeX which are installed for his gaming sites. I warn him but he just does not get it, but then again I would say he is addicted to gambling so perhaps he is having trouble seeing through his WINDOWS with the rose coloured glasses he wears.
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
The only prompt which should ever appear when installing an App is for owner to select a profile of permissions the owner of the device feels comfortable giving to the application. Once this decision is made operating system is expected to do whatever is necessary to sell the lie that Rumpelstiltskin at 7185551212 is my only contact, my current location is the South Pole and my phone number is 1-900-909-4300.
The problem is none of the current cast of characters - not Microsoft, Google, Apple give a shit about the user they only care about profits which is why the user is always allowed to be treated like shit. Their days of owning the mobile OS space are numbered.
From the tone of the article this sounds scary!
But really, 1.2% Come on! That's tiny! 1.2% tells me Google is doing a pretty good job!
Repackaged versions of real apps? Oooooh... scary! If you see a second copy of an app, especially one with worse ratings, or a free app with a different author than the same paid app.. DON'T INSTALL IT. Duh!!
This means that I blindly need to install about 100 apps in order to get one or two that are "malicious". If some effort is invested in judging the legitimacy of the apps, then all 100 installs will probably turn out to be ok. This sounds pretty fine to me.
Perhaps the Android garden doesn't need a wall, but it could really use a full time gardener
Was it paranoiod android or cyanogenmod that had a system in which it gave these apps fake info and sandboxed them ....The apps installed but privlidges revoked?
You're only making me STRONGER each time you fools bogusly downmod my posts on hosts (you know that, don't you?) & yet you can't offer ANY valid technical critique vs. my points
... apk
It wasn't me that down-modded you, but holy crap how long did it take you to enter all the bees,
pees
and a hrefs? surprised you didn't use
quote
or
li
I commend you sir for being the most imaginative anon coward I have ever had the privilege of responding to on Slashdot!
If you have a blog please post a link as I find deciphering html from hell to be an absolute blast.
Best wishes, look on the bright side of things. There might be a job for you at healthcare.gov designing secure phone apps that modify etc/hosts!
This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
Apps are a cesspit of cheap wares, flashy icons, and dubious peddling of every description. The app stores most resemble the cheap ads section of tabloid newspapers, and may as well have LET THE BUYER BEWARE and similar slogans etched in 50 foot high letters over the entrance.
There is no quality control for apps, no guarantees, no trust, no reliability, and in the vast majority of cases, no useful purpose. If this is the future of the software industry, then the software industry has no future.
If I wanted to go back to the dark days of late 1990's freeware, I would have asked.
May the Maths Be with you!
You really think that works? I sell Android Open Source by the GPL rules: legitimate customers can request the source code — but nobody ever does. I do mention it. It is not a hidden secrete. Still no one is interested.
And on the other side I don't expect donation to flow in if I used that site. Once the average user has his App he is not interested either in source or donations.
I for one continue to use the GPL allowance to sell the binary and only give away bare source for fee.