Slashdot Mirror

← Back to Stories (view on slashdot.org)

1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info

Posted by timothy on from the seems-like-an-undercount-to-me dept.

An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."

27 of 131 comments (clear)

  1. F-Droid, FTW by Anonymous Coward · · Score: 5, Informative

    F-Droid is the open source store. Pleanty of good apps there that do just about anything you'd need an app to do, for free as in beer and free as in speach.

    https://f-droid.org/

    1. Re:F-Droid, FTW by Nerdfest · · Score: 4, Interesting

      Many of us don't need FaceBook or NetFlix. F-Droid is great, and there's actually a lot of stuff that's actually on both. Wonder if some of the Play versions are included in some of the adware-added nstuff they're talking about ...

      Anyway, it's damn nice to have options. I realize Google bashing is the funded topic these days, but I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

    2. Re:F-Droid, FTW by N0Man74 · · Score: 2

      I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

      I haven't heard of a specific study on apps, but I have read about how the eBook side is highly saturated with people selling low quality bundles and repackaging of free and public domain works in order to make a quick buck. Given how little quality control there appears to be on the eBook side of things (and books are much part of the core of Amazon than apps) I doubt they fare any better on apps.

      Openness does have it's disadvantages.

      It isn't just the re-bundles. When there is a popular iOS only app, I have seen people in Play selling apps with the title and/or artwork of the iOS app, but then in fine print says "this is a fan app". There's no doubt in my mind that a lot of people (especially kids) don't read the details and download anyway.

      I think Google should be more proactive about blocking and banning those that abuse the store and their customers.

  2. Irrelevant by Russ1642 · · Score: 4, Insightful

    The total number of apps doesn't matter. The only stats worth anything involve the number of apps that are actually downloaded and run. There are thousands of useless or malware infested apps out there but are people really using them?

    1. Re:Irrelevant by Neuroelectronic · · Score: 2

      Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

    2. Re:Irrelevant by JLennox · · Score: 2

      Complete control over a platform isn't justified by non-techies not knowing any better.

      Apple owes everything to that not being a pre-existing model to computers.

    3. Re:Irrelevant by fermion · · Score: 4, Insightful
      It does matter because Google Play is supposed to be the walled garden. It doesn't matter that 99% of the people in the school yard are supposed to be there, all it takes is few to turn the school yard into chaos.

      It also matters to the developers who wants to make a profit. If someone else can repackage your app and place it on the preeminent platform for Android Apps in exchange for ad revenue, that is bad. It also hurts the reputation of the original developer if that app is violating real of perceived privacy expectations.

      This is different from script kiddie or organized crime putting a pirated App on some open repository to be nice or steal identities. This is Google Play. People use it instead of more open repositories because they expect a level of security.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    4. Re:Irrelevant by mlts · · Score: 2

      I have mentioned this before, but Google needs to section off its store. One tier being the existing, "well, if not banned, it is allowed" free-for-all (which is a good thing for savvy users), but Google needs to have a tier similar to Amazon's store. Approval is a must, brutal approval guidelines, and no mercy with the banhammer.

      This strategy has worked amazingly well for Apple. iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism. However, because the only [1] way for an app to install on an iDevice is through Apple's store, Apple's strong gatekeeper strategy has proven itself.

      Google should see about having a tier or subset with heavy moderation. Then, have an option fairly hidden on the phone to allow access to the free-for-all tier. That way, users who just want to grab Angry Birds, and not Angry Birds + SMS Spammer will get the app they want.

      [1]: Of course, there is the enterprise and beta mechanisms for adding apps, but this is not doable for most of Apple's base.

    5. Re:Irrelevant by immaterial · · Score: 3, Informative

      iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism.

      What does this sentence mean? From context it looks like you're saying the only form of security on iOS is Apple's App Store approval system, but that's obviously false. Every app is sandboxed (no access to the system or other apps) and must request specific permission for privileged data (location/contacts/photos/calendars/etc.).

  3. How many downloads? by Fwipp · · Score: 3, Insightful

    How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.

    1. Re:How many downloads? by FictionPimp · · Score: 2

      I use Nexus Flashlight. It requires access to the camera, and the ability to keep your phone from going to sleep. Nothing else.

    2. Re:How many downloads? by mlts · · Score: 2

      To help mitigate things with dodgy apps, I use Droidwall configured to block by default. Droidwall needs a facelift, but it is a decent front end for iptables.

      Android needs to keep its permission model, but add additional permissions similar to iOS 6+ where when the first time an app asks for access to contacts/camera/phone/SMS/photos/music/etc., it pops up a dialog where the user can confirm or deny permissions. Blackberry has had this model for over a decade, and it has been quite good.

    3. Re:How many downloads? by mrchaotica · · Score: 3, Informative

      Droidwall needs a facelift, but it is a decent front end for iptables.

      According to FDroid, Droidwall got abandoned, forked and renamed to AFWall+.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    4. Re:How many downloads? by TWX · · Score: 2

      If that one gives you issues, I use "LED Light". It doesn't list the Samsung Galaxy SII (T-Mobile version) as on the supported devices list, but it seems to work fine. Only annoyance is that it doesn't completely close on exit and I have to go exit its process, but how little I use it, I can accept that.

      --
      Do not look into laser with remaining eye.
  4. All or nothing approach is silly by Mr_Silver · · Score: 5, Interesting

    I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.

    Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".

    A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.

    That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.

    --
    Avantslash - View Slashdot cleanly on your mobile phone.
    1. Re:All or nothing approach is silly by vidnet · · Score: 4, Funny

      pop up a request to access the other permissions at the time when they are needed

      Because that worked so well for Vista?

    2. Re:All or nothing approach is silly by mlts · · Score: 4, Insightful

      The problem is that Google's model works for people who know what they are doing.

      However, one reason iOS is so successful is the perception that you don't have to watch anything. If it is on Apple's store, it is safe for human consumption.

      The majority of the people out there will not look at the permissions an app wants, and just tap "accept". Android's model works with savvy users, but for the teen texter who barely can type while holding the steering wheel, it has its issues.

      Two ways to fix this: Go with additional permission requests upon first use like Apple or Blackberry's offerings, go with a tier of Play Store which is heavily curated, or both.

    3. Re:All or nothing approach is silly by zequav · · Score: 3, Interesting

      There is App Ops in android >=4.3. Install App Ops Starter and disable the permissions you don't want to grant to an app.

    4. Re:All or nothing approach is silly by tlhIngan · · Score: 3, Interesting

      Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

      Except to 99.99% of Android users, that permission information is completely useless to them. They don't know what it means, other than it's a screen that pops up whenever they install anything. They don't read it, they just tap Install and be done with it.

      The technical term is Dancing Pigs (or dancing rabbits), and it describes basically that the user is most likely not pick the right choice security wise. They see an app in the Play store, tap install, then up comes the list of gobbledygook with a button that says "Install". They bypass the list and tap install, because they just wanted to install the app.

      Relying on the user to make security decisions is poor security - all it affords you is the ability to blame the user for this mischoices, except said user is part of the very large majority who don't understand the screen, don't understand the need for it, and certainly don't understand why they need to spend the time reading it.

      And that doesn't even get into the weird permissions you need in order to do stuff (like Read Phone State and Identity to get notifications when someone is calling).

      The iPhone model isn't any better, but popping up extra dialogs doesn't work. Though, iOS at least does notify you and give you the ability to decline individual permissions (e.g., to stuff like location information, contacts and other stuff). But it too suffers from popup-it is.

      Hell, the user can monkey around with some pretty complex steps if you tell them how to do it in small easy steps and they see benefit at the end. It's how they can do stuff like install OpenSSH, run PuTTY and enter in complex command lines - as long as they want to do it, they'll blindly follow. It's how the early jailbreak viruses spread - because people would do them to pirate apps and such and leave OpenSSH running with default passwords (because the HOWTO they used didn't tell them they needed to).

      And I'm almost certain if you've helped someone tat they'll say something like "every time I print, nothing comes out of the printer" despite every time they print, a big screen shows saying "NO PAPER IN TRAY". No, they don't read dialogs either (happens with developers as well - the solution may be right there staring them in the face...).

  5. Mozilla does that too. by Animats · · Score: 4, Interesting

    Mozilla allows that, too. There's a slimeball company that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite. Users were very angry.

    Mozilla's reaction? Mozilla's add-on policies prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ... "These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review." The spyware was just fine with Jorge Villalobos, Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."

    You can't trust the Mozilla Foundation any more. That's sad.

  6. What is being added by Fnord666 · · Score: 4, Informative

    Here is a decent graphic showing just what is being added to these repackaged applications.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  7. Link to the original article by Fnord666 · · Score: 3, Informative

    here is the original article in case anyone is interested. It goes into greater detail about the issues involved.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  8. Re:Quantity over quality by mythosaz · · Score: 4, Insightful

    Useless to whom?

    There's a ton of duplication, but not without some feature or preference issue. While I can imagine that the most obvious flashlight features are duplicated across all flashlight apps, I'm sure that there's a number of features (like support for specific phones and odd hardware lights, and widgets) preferences (tray icon, UI), or innovations (auto-off, strobe) that haven't been incorporated into the One True Flashlight App just yet. ...now when you want the one with the "help me" strobe that supports S4 gestures to change modes, you need some duplication.

    There's also a dozen niche apps. How many Magic The Gathering life counters do you need? [I'm nerd enough to know there's plenty of room for different apps here.] How many keyboards do you need? How many pop the bubbles games do you need?

    Just because you can't run a million apps doesn't mean that the thousand you could possibly use are the same as the thousand I could possibly use. Combine your thousand and my thousand and now we've probably got only 100 that overlap. You couldn't care less about having multiple Nissan Leaf apps because Torque Pro doesn't support reading advanced battery values from it -- but I do. Someone else cares about all sorts of stuff neither of us do.

  9. Re:Opt-in though? by Animats · · Score: 4, Insightful

    As long as the feature is opt in...

    The "opt in" was more like "we're making you an offer you can't refuse." It was pushed as an update to an existing add-on. The page with the terms was deliberately confusing. The privacy policy was originally missing. Some users reported that if you refused the tracking, the add-on then blocked major sites such as Flickr.

    I was amazed that got past Mozilla's approval process. They've sold out.

  10. Avoidance by xigxag · · Score: 2

    A couple of simple things can be done to avoid phone malware.

    1) Investigate the app before you install it. Click on the developer's web page and see if it looks legit. Read the reviews. Check to see that the permissions it's asking for have a legitimate purpose.

    2) As TFA notes, most of these malware apps are free. Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.

    3) In other words, remember that your phone is a computer. Don't take careless risks with your phone or tablet that you would never take with your desktop or laptop.

    --
    There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
  11. Application policy by WaffleMonster · · Score: 2

    The only prompt which should ever appear when installing an App is for owner to select a profile of permissions the owner of the device feels comfortable giving to the application. Once this decision is made operating system is expected to do whatever is necessary to sell the lie that Rumpelstiltskin at 7185551212 is my only contact, my current location is the South Pole and my phone number is 1-900-909-4300.

    The problem is none of the current cast of characters - not Microsoft, Google, Apple give a shit about the user they only care about profits which is why the user is always allowed to be treated like shit. Their days of owning the mobile OS space are numbered.

  12. Gardener wanted by saha · · Score: 2

    Perhaps the Android garden doesn't need a wall, but it could really use a full time gardener