Malware in Android Market highlights Google's vulnerability - ArsTechnica
veritas_libertas
Member Posts: 5,746 ■■■■■■■■■■
in Off-Topic
The malicious applications sent personal details, including the phone's unique IMEI number, to a US-based server. Worse, it exploited security flaws to root the phone, and installed a backdoor application that allows further software to be installed to the handsets. Though Google has now purged the applications from the Market, the rooting and backdoor mean that the anyone who has run one of the malicious programs should reset their phone to stock conditions to clean it up. The flaw used to root the operating system was fixed in Android 2.2.2 and 2.3, so users of those versions should be able to get away with simply removing the applications. The programs were all (re)published by an entity named Myournet; it too has now been removed from the Market.
Malware in Android Market highlights Google's vulnerability
Comments
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Interesting article, I know somebody whose wife had an app that sent a bunch of expensive text messages a couple of months ago. I read on Ars that Google is going to remote kill malware they discover now. I think Google is going to have to tighten up the app store with more people using their OS now.
Haven't seen much online about the malware, if this was Apple related I am sure the tech blogs would crash with all the postings from "concerned readers" wanting to make sure everybody is aware of mobile malware. -
rwmidl Member Posts: 807 ■■■■■■□□□□You can say what you want about Apple and how controlling they are of their app store/applications that are there, but you do have to give them (Apple) credit in that they would probably catch anything like this before it hit the "open" market.CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□You can say what you want about Apple and how controlling they are of their app store/applications that are there, but you do have to give them (Apple) credit in that they would probably catch anything like this before it hit the "open" market.
I am sure something will happen given time, exploits don't have to come from the apps the hackers can just focus on the OS itself. -
petedude Member Posts: 1,510It was bound to happen sooner or later. Someone found a chink in Google's armor, and exploited it. It'll eventually happen to Apple, too-- it just won't be as severe. I'm just glad there are some good security apps available for Android now to help prevent this kind of problem. And I'm sure Google will beef up security for Android-- it's not as if they don't have resources to throw at it.Even if you're on the right track, you'll get run over if you just sit there.
--Will Rogers -
westward Member Posts: 77 ■■□□□□□□□□They make BILLIONS....as an advertising company. And spend it on a lot of ideas that have no actual ROI.
They only hire the "best and brightest" but...
1. They crashed Gmail and temporarily lost user accounts
2. They're "Google Finance" is horrible - often providing stock prices that are 3 to 4 days old while stating it is a "live" feed
3. Android has simple security issues
4. Their new algorithm for search has caused many searches to have notably worse results than before....
And that's just in the last 30 days!
Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!
I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom. -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I would like Google to fix it's search spam problem. It's getting annoying with all the fake b.s. hits flooding the first several pages.
-
MentholMoose Member Posts: 1,525 ■■■■■■■■□□They make BILLIONS....as an advertising company. And spend it on a lot of ideas that have no actual ROI.
They only hire the "best and brightest" but...
1. They crashed Gmail and temporarily lost user accounts
Google Apps for Business | Official Website
Everyone has outages, get over it. Sometimes things go wrong even if you do everything right, especially in IT.2. They're "Google Finance" is horrible - often providing stock prices that are 3 to 4 days old while stating it is a "live" feed3. Android has simple security issues4. Their new algorithm for search has caused many searches to have notably worse results than before....Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Didn't realize how many phones were exposed:
Google Android hacking alert to 260k smartphone users who downloaded app virus | Mail Online
Google admitted that up to 260,000 smartphones have been hacked after handset users unwittingly downloaded virus-infected apps.
The threat came to light last week when the technology giant was forced to withdraw at least 50 apps from its official Android Market.
Google operated a ‘killswitch’ and remotely removed all of the affected apps from peoples’ phones.
The firm has now sent text messages warning those affected that the malicious applications could access their personal information and take control of their handset.
Studies have found that the dodgy applications were downloaded after they had been repackaged with a code that corrupted them. -
dynamik Banned Posts: 12,312 ■■■■■■■■■□Who on earth thought it'd be a good idea not to screen apps, while selling them through their own store. Imagine if Best Buy sold a piece of software that was malicious!
This issue didn't arise because of negligence. Google took this approach to keep the market free and open (which admittedly a small percentage of users could deal with responsibly). Compare this with the totalitarian approach that Apple has taken where they regularly screw over developers without so much as an explanation and power-users need to jailbreak their device and forfeit support if they want genuine control it. Do you really think its feasible for Google to audit every line of code that's submitted to them? Organizations that develop software of even a minimal complexity can't can't even do that on their own code internally. -
erpadmin Member Posts: 4,165 ■■■■■■■■■■I am starting to feel that they are a scatter-brained group of people who aren't really focusing on any one particular thing and doing it REALLY well. It's the "be everything to everyone" symptom.
Hmmm...sounds like that can be attributed to another tech company worth billions that's real popular on this board.....I'm sure the name will come to me later..... -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□This issue didn't arise because of negligence. Google took this approach to keep the market free and open (which admittedly a small percentage of users could deal with responsibly). Compare this with the totalitarian approach that Apple has taken where they regularly screw over developers without so much as an explanation and power-users need to jailbreak their device and forfeit support if they want genuine control it. Do you really think its feasible for Google to audit every line of code that's submitted to them? Organizations that develop software of even a minimal complexity can't can't even do that on their own code internally.
I had to root my Android like I did my iPhone? -
dynamik Banned Posts: 12,312 ■■■■■■■■■□I had to root my Android like I did my iPhone?
Oh, shows how much I know about Androids
I thought they gave you more freedom out of the box.
If that's the case though, why is this Google's responsibility? -
tiersten Member Posts: 4,505I had to root my Android like I did my iPhone?
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Oh, shows how much I know about Androids
I thought they gave you more freedom out of the box.
If that's the case though, why is this Google's responsibility?
I think you might be thinking just the app store not the OS. Since Android phones have a bigger selection, the different phone vendors try and out feature each other. The problem was the app store is a portal for Android apps and people were repackaging legit apps and putting in malware. Since the app store is a Google portal and part of the phone they are steering customers to one stop app shopping.
I think Apple has slipped up a few times and their approval process is hit or miss also. So with this story I bet Google starts to tighten things up on the back end because the average consumer probably does not know or care about "extra freedom" in the app store they just see "click buy play". -
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■I think you might be thinking just the app store not the OS. Since Android phones have a bigger selection, the different phone vendors try and out feature each other. The problem was the app store is a portal for Android apps and people were repackaging legit apps and putting in malware. Since the app store is a Google portal and part of the phone they are steering customers to one stop app shopping.
I think Apple has slipped up a few times and their approval process is hit or miss also. So with this story I bet Google starts to tighten things up on the back end because the average consumer probably does not know or care about "extra freedom" in the app store they just see "click buy play".
I would have to agree. All the typical user cares about is that it works and doesn't break their smart phone. -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□It's the same old argument that ends up blaming the OS and not the user. I think the Window's simile below was fairly accurate. Users are presented with a declaration of rights the app. is requesting, it's up to them to choose Yes even after (in theory) researching the stated functions of the app (and it's reputation online). There are quite a few decent anti-malware app.s out now for the platform. People seem to want freedom to install what they want but not the responsibility of doing so safely.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□How can a user research an app that is a legit app repackaged with malware? We going to require users to check md5 sum? Not a software developer but at least Google should add a verification for alteration checks on their app store.
-
ilcram19-2 Banned Posts: 436"to the cloud" BS indeed they are stilling your information and thats what happens when you trust the internet, if that happens on a phone how long we have til google and all of them get hacked if they havent yet
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■How can a user research an app that is a legit app repackaged with malware? We going to require users to check md5 sum? Not a software developer but at least Google should add a verification for alteration checks on their app store.
Exactly, I laughed when my coworker told me he was using an AV scanner on his Android. Seriously, is that where we are going now? I lock-down my network because I don't want my wife to download dangerous stuff by accident. All my wife cares about is downloading what she wants from the Internet. She is relatively cautious but I still see plenty of dangerous stuff on the firewall log that she has tried to access. -
shaqazoolu Member Posts: 259 ■■■■□□□□□□The great thing about this whole thing, is if you don't like it, you can go buy an iPhone. I don't see why this is an issue. You have a choice. Use it and stop crying about why Google isn't enabling you to be completely mindless with no consequences.:study:
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□shaqazoolu wrote: »The great thing about this whole thing, is if you don't like it, you can go buy an iPhone. I don't see why this is an issue. You have a choice. Use it and stop crying about why Google isn't enabling you to be completely mindless with no consequences.
How were the users being mindless? I am still wondering how users are supposed to know how to check a repackaged app? -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□It's exactly the same as installing on a PC. If you run around installing every piece of software off the web that grabs your fancy you will end up screwed - AV will only protect you so far. The issue here is there is a presumption of security by the handset users that is unrealistic, in the same way they tend to send data over the web through their phones that they would have more sense not to on a PC they are assuming that since it's on the marketplace it's safe. They obviously can't debug an app. but when installing something they haven't researched and it's asking for permissions beyond what should be expected (and yes there is a responsibility to on the user to learn this) then they should just say 'No'. To drive a car you learn and then get a license, if you don't understand the basics of the technology then don't buy an Android phone, and if you do then live with the consequences and don't blame the vendor because you didn't take the time to understand the risks...Anything else is kinda childish imhoWe responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□The problem though is the Android Marketplace is Google's preferred method of installing applications on the phone. It's their portal for the phone to add software. They advertise "thousands of apps" in Android commercials because they know apps is what made the iPhone popular besides the design style.
If you go shopping in the store and purchase something of course you should research it but let's use the Tylenol scare. Somebody buys Tylenol and poisons it. 8 people die from poisoned capsules. It lead to Tylenol making better packaging to detect tampering so the consumer and the stores can better detect tampering. This does not eliminate the possibility of Tylenol making a mistake but it was an approach to protect the consumer who assumes that when purchasing something that at least it was not tampered with and should do what it was advertised to do.
Tylenol lost tons of money from that incident. On the basic level my Tylenol comparison seems to be a good example of some basic precautions to help the customer not become too afraid to spend money on your product or in your store.
Realistically the only way to make the average user care though is if somebody repackaged an Android Facebook app that stole your password and changed your profile picture to a peni$ or something...