Malware in Android Market highlights Google's vulnerability - ArsTechnica

veritas_libertas

The malicious applications sent personal details, including the phone's unique IMEI number, to a US-based server. Worse, it exploited security flaws to root the phone, and installed a backdoor application that allows further software to be installed to the handsets. Though Google has now purged the applications from the Market, the rooting and backdoor mean that the anyone who has run one of the malicious programs should reset their phone to stock conditions to clean it up. The flaw used to root the operating system was fixed in Android 2.2.2 and 2.3, so users of those versions should be able to get away with simply removing the applications. The programs were all (re)published by an entity named Myournet; it too has now been removed from the Market.

Malware in Android Market highlights Google's vulnerability

tpatt100

Interesting article, I know somebody whose wife had an app that sent a bunch of expensive text messages a couple of months ago. I read on Ars that Google is going to remote kill malware they discover now. I think Google is going to have to tighten up the app store with more people using their OS now.

Haven't seen much online about the malware, if this was Apple related I am sure the tech blogs would crash with all the postings from "concerned readers" wanting to make sure everybody is aware of mobile malware.

rwmidl

You can say what you want about Apple and how controlling they are of their app store/applications that are there, but you do have to give them (Apple) credit in that they would probably catch anything like this before it hit the "open" market.

tpatt100

rwmidl wrote: »

You can say what you want about Apple and how controlling they are of their app store/applications that are there, but you do have to give them (Apple) credit in that they would probably catch anything like this before it hit the "open" market.

I am sure something will happen given time, exploits don't have to come from the apps the hackers can just focus on the OS itself.

petedude

It was bound to happen sooner or later. Someone found a chink in Google's armor, and exploited it. It'll eventually happen to Apple, too-- it just won't be as severe. I'm just glad there are some good security apps available for Android now to help prevent this kind of problem. And I'm sure Google will beef up security for Android-- it's not as if they don't have resources to throw at it.

westward

They make BILLIONS....as an advertising company. And spend it on a lot of ideas that have no actual ROI.

They only hire the "best and brightest" but...

1. They crashed Gmail and temporarily lost user accounts
2. They're "Google Finance" is horrible - often providing stock prices that are 3 to 4 days old while stating it is a "live" feed
3. Android has simple security issues
4. Their new algorithm for search has caused many searches to have notably worse results than before....

And that's just in the last 30 days!

Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!

I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom.

tpatt100

I would like Google to fix it's search spam problem. It's getting annoying with all the fake b.s. hits flooding the first several pages.

MentholMoose

westward wrote: »

They make BILLIONS....as an advertising company. And spend it on a lot of ideas that have no actual ROI.

They only hire the "best and brightest" but...

1. They crashed Gmail and temporarily lost user accounts

Gmail has ads, and there is a commercial version of Gmail:
Google Apps for Business | Official Website

Everyone has outages, get over it. Sometimes things go wrong even if you do everything right, especially in IT.

westward wrote: »

2. They're "Google Finance" is horrible - often providing stock prices that are 3 to 4 days old while stating it is a "live" feed

Not everything works out, e.g. Wave was discontinued. It is unrealistic to expect them (or anyone) to have 100% success rate with their products.

westward wrote: »

3. Android has simple security issues

If you're talking about the Market malware, that is just the result of having a more open system. You might as well blame Microsoft for allowing malware onto Windows.

westward wrote: »

4. Their new algorithm for search has caused many searches to have notably worse results than before....

Any time they change anything, someone will complain. If a few searches have worse relevant results but most have far better results, that's actually a benefit. They will be making further adjustments to improve results even more.

westward wrote: »

Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!

Again, that's the price of openness, one of the key selling points of Android phones. If they were like Apple, people would just complain about censorship, lack of transparency, etc., and some malware would still sneak through. Personally, I'll take the Android Market model any day (and I did, I don't own an iPhone and never well), since I prefer to make my own decisions about what apps to install.

westward wrote: »

I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom.

Google search... still #1 in market share, by far, despite heavy competition. Android... came out of nowhere to get to #1 in market share, despite heavy competition. Youtube... still #1, despite heavy competition. I think they doing something right.

tpatt100

Didn't realize how many phones were exposed:

Google Android hacking alert to 260k smartphone users who downloaded app virus | Mail Online

Google admitted that up to 260,000 smartphones have been hacked after handset users unwittingly downloaded virus-infected apps.

The threat came to light last week when the technology giant was forced to withdraw at least 50 apps from its official Android Market.

Google operated a ‘killswitch’ and remotely removed all of the affected apps from peoples’ phones.

The firm has now sent text messages warning those affected that the malicious applications could access their personal information and take control of their handset.

Studies have found that the dodgy applications were downloaded after they had been repackaged with a code that corrupted them.

dynamik

westward wrote: »

Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!

This issue didn't arise because of negligence. Google took this approach to keep the market free and open (which admittedly a small percentage of users could deal with responsibly). Compare this with the totalitarian approach that Apple has taken where they regularly screw over developers without so much as an explanation and power-users need to jailbreak their device and forfeit support if they want genuine control it. Do you really think its feasible for Google to audit every line of code that's submitted to them? Organizations that develop software of even a minimal complexity can't can't even do that on their own code internally.

erpadmin

westward wrote: »

I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom.

Hmmm...sounds like that can be attributed to another tech company worth billions that's real popular on this board.....I'm sure the name will come to me later.....

tpatt100

dynamik wrote: »

This issue didn't arise because of negligence. Google took this approach to keep the market free and open (which admittedly a small percentage of users could deal with responsibly). Compare this with the totalitarian approach that Apple has taken where they regularly screw over developers without so much as an explanation and power-users need to jailbreak their device and forfeit support if they want genuine control it. Do you really think its feasible for Google to audit every line of code that's submitted to them? Organizations that develop software of even a minimal complexity can't can't even do that on their own code internally.

I had to root my Android like I did my iPhone?

dynamik

tpatt100 wrote: »

I had to root my Android like I did my iPhone?

Oh, shows how much I know about Androids

I thought they gave you more freedom out of the box.

If that's the case though, why is this Google's responsibility?

tiersten

tpatt100 wrote: »

I had to root my Android like I did my iPhone?

That decision is made by the manufacturer and not Google. The official Google branded handsets have the ability to be rooted easily and allow replacement firmware images to be flashed built in.

tpatt100

dynamik wrote: »

Oh, shows how much I know about Androids

I thought they gave you more freedom out of the box.

If that's the case though, why is this Google's responsibility?

I think you might be thinking just the app store not the OS. Since Android phones have a bigger selection, the different phone vendors try and out feature each other. The problem was the app store is a portal for Android apps and people were repackaging legit apps and putting in malware. Since the app store is a Google portal and part of the phone they are steering customers to one stop app shopping.

I think Apple has slipped up a few times and their approval process is hit or miss also. So with this story I bet Google starts to tighten things up on the back end because the average consumer probably does not know or care about "extra freedom" in the app store they just see "click buy play".

veritas_libertas

tpatt100 wrote: »

I think you might be thinking just the app store not the OS. Since Android phones have a bigger selection, the different phone vendors try and out feature each other. The problem was the app store is a portal for Android apps and people were repackaging legit apps and putting in malware. Since the app store is a Google portal and part of the phone they are steering customers to one stop app shopping.

I think Apple has slipped up a few times and their approval process is hit or miss also. So with this story I bet Google starts to tighten things up on the back end because the average consumer probably does not know or care about "extra freedom" in the app store they just see "click buy play".

I would have to agree. All the typical user cares about is that it works and doesn't break their smart phone.

Ahriakin

It's the same old argument that ends up blaming the OS and not the user. I think the Window's simile below was fairly accurate. Users are presented with a declaration of rights the app. is requesting, it's up to them to choose Yes even after (in theory) researching the stated functions of the app (and it's reputation online). There are quite a few decent anti-malware app.s out now for the platform. People seem to want freedom to install what they want but not the responsibility of doing so safely.

tpatt100

How can a user research an app that is a legit app repackaged with malware? We going to require users to check md5 sum? Not a software developer but at least Google should add a verification for alteration checks on their app store.

ilcram19-2

"to the cloud" BS indeed they are stilling your information and thats what happens when you trust the internet, if that happens on a phone how long we have til google and all of them get hacked if they havent yet

veritas_libertas

tpatt100 wrote: »

How can a user research an app that is a legit app repackaged with malware? We going to require users to check md5 sum? Not a software developer but at least Google should add a verification for alteration checks on their app store.

Exactly, I laughed when my coworker told me he was using an AV scanner on his Android. Seriously, is that where we are going now? I lock-down my network because I don't want my wife to download dangerous stuff by accident. All my wife cares about is downloading what she wants from the Internet. She is relatively cautious but I still see plenty of dangerous stuff on the firewall log that she has tried to access.

shaqazoolu

The great thing about this whole thing, is if you don't like it, you can go buy an iPhone. I don't see why this is an issue. You have a choice. Use it and stop crying about why Google isn't enabling you to be completely mindless with no consequences.

tpatt100

shaqazoolu wrote: »

The great thing about this whole thing, is if you don't like it, you can go buy an iPhone. I don't see why this is an issue. You have a choice. Use it and stop crying about why Google isn't enabling you to be completely mindless with no consequences.

How were the users being mindless? I am still wondering how users are supposed to know how to check a repackaged app?

Ahriakin

It's exactly the same as installing on a PC. If you run around installing every piece of software off the web that grabs your fancy you will end up screwed - AV will only protect you so far. The issue here is there is a presumption of security by the handset users that is unrealistic, in the same way they tend to send data over the web through their phones that they would have more sense not to on a PC they are assuming that since it's on the marketplace it's safe. They obviously can't debug an app. but when installing something they haven't researched and it's asking for permissions beyond what should be expected (and yes there is a responsibility to on the user to learn this) then they should just say 'No'. To drive a car you learn and then get a license, if you don't understand the basics of the technology then don't buy an Android phone, and if you do then live with the consequences and don't blame the vendor because you didn't take the time to understand the risks...Anything else is kinda childish imho

tpatt100

The problem though is the Android Marketplace is Google's preferred method of installing applications on the phone. It's their portal for the phone to add software. They advertise "thousands of apps" in Android commercials because they know apps is what made the iPhone popular besides the design style.

If you go shopping in the store and purchase something of course you should research it but let's use the Tylenol scare. Somebody buys Tylenol and poisons it. 8 people die from poisoned capsules. It lead to Tylenol making better packaging to detect tampering so the consumer and the stores can better detect tampering. This does not eliminate the possibility of Tylenol making a mistake but it was an approach to protect the consumer who assumes that when purchasing something that at least it was not tampered with and should do what it was advertised to do.

Tylenol lost tons of money from that incident. On the basic level my Tylenol comparison seems to be a good example of some basic precautions to help the customer not become too afraid to spend money on your product or in your store.

Realistically the only way to make the average user care though is if somebody repackaged an Android Facebook app that stole your password and changed your profile picture to a peni$ or something...