Rogue phishing app smuggled onto Android Marketplace
A phisher hoping to harvest bank login details managed to smuggle his app onto the Android app store. Malicious apps posted by Droid09 were quickly identified, prompting a warning to legitimate users and a ban for the VXer. The incident raises questions about whether a tighter vetting process is needed for the Android …
How long now before Android's app marketplace becomes as tight, opaque and closed as Apple's... All because of this type of shite... Thanks a lot...
Why the hell do you think Google is giving away the OS in the first place? To build a user base so they can charge for the apps, simple as that.
It will not be long before Android users are paying through the nose or talking about 'Jailbreaking'
You seem to imply that Apple's 'tight, opaque and closed' app store is less likely to contain malware than a more open marketplace.
Is this a bad thing?
Unfortunately, the world is full of people who will take advantage of the lazy, gullible or inattentive. The closed marketplace (especially for big names staking their reputation, such as Google or, say, Apple) is unavoidable, unless you somehow magically expect everyone to just be nice.
Paris, because she doesn't intend to be tight, opaque or closed.
Only in so far as it prevents legitimate but inconvenient (for Apple) apps from making an appearance, and without so much as an explanation. That's number 6 in my 'List of Reasons I Will Never Get An IPhone."
Mind you, if the Android Marketplace turns into a dodgy place then Google's options are limited. The level of openness is not an easy thing to decide. That said, there was an intriguing article in the FT about the two approaches to 'openness' employed by Google and Apple:
http://www.ft.com/cms/s/0/dbe24d14-fafa-11de-94d8-00144feab49a.html
" consulting their mobile phone firm for further advice"
Why ? What has that got to do with the carrier?
This one is at the feet of the app-store custodians... Asleep at the switch ?
I have trouble trusting my bank with my banking details, I am certainly not going to allow an unknown application from an unknown developer to sit between me and my banking logon.
What's so difficult about navigating to a banking logon page that it requires the help of a third party application, which is yet another attack surface for hackers, anyway?
...Google's market app update system is smart enough to prompt users that there's an update to these apps and hence give them a pro-active warning about the fact that the apps have been pulled.
I have a couple of apps that have been pulled (re-released as paid for), but received no notification of the original app being removed from the market or the paid for alternative being introduced.
The Android market is stuffed full of dodgy apps and dodgy developers. Any Android user will be aware of the usual suspects and their dodgy tactics....
Updates that do nothing but bump apps (usually ad infested) to the top of the "most recent" list.
Crude web wrappers that merely link to the mobile version of a web site ( that you could just as easily visit with the standard browser ) but ask for phone, location and personal info permissions to install.
Then there is all of the non-malicious crap. "Sound Boards", fart machines, flashlights. Hell, there was even one joker with a "mirror" app that turned the screen black so you could see your reflection in it. The muppet even posted a screen shot of the blank screen!!!
There are, of course, a lot of very good and useful apps, but having to trawl through the piles and piles of excrement to find them is a real pain.
One developer's whole range of apps was removed for harvesting phone numbers. OK its not phishing but its definitely something a review process should have picked up on.
Apple is constantly developing and using automated tools for code inspection of each new app. As new tricks are played by devs (most caught in the manual review process, though not all), Apple is adjusting it's apps for better automated analysis.
Phishing is not easy to do on the iPhone. More over, being alble to submit at all creates a clear and easily followable legal trail, and anyone trying something like submitting a virus or actual phishing app would be handed over to authorities fast. The Goolge Marketplace is not so clean of a system, has little or no reveiw process to speak of, and almost anyone can post an app. The fact this got into a central marketplace (not sum 3rd party run app store) is even more appauling. The fact Android can run backgroud apps at all is also troubling since it;s possible for an app to appear to be legit, but sniff your web traffic and keystrokes in the background. That's not possible on the iPhone OS.
Apple has removed whole ranges of apps before, it's not one occasion. Apple can only push to an extent on that as well, since harvesting phone numbers and e-mails is not actually illegal at all (only against TOS), and it did not harvest entire contacts lists, only your number (which could have just as easily been done through an online registration request and not have been in the app and thus would not have gotten them pulled).
Some complain that Apple's approval process is overly strict, and it does seem a somewhat slow and tedious process from time to time.
However, we need to remember that those of us reading El Reg are those who, I'd hope, have some semblance of technical knowhow, and I think readers forget the general inept, ill-informed and generally gullible nature of the average user. I think the Android Marketplace will probably be locked down, but not to it's detriment despite the wailing and gnashing of teeth from the geek community. For Android to succeed as a consumer OS on consumer handsets, it has to, to borrow and appleism, 1: just work and 2: gain the trust of it's userbase. Without those, it will fail in the massmarket and be relegated to the realms of geeks and gadgets.
You can't have it both ways. You either want it to become a popular and mainstream success, or remain a near-infinitly flexible platform that -you- can tweak without the interference of BigBrother determining what apps you can and can't install.
That is not to say that because the developer releases under the GPL they are above suspicion, but downloading / viewing / compiling the source oneself, certainly makes me feel more secure.
This applies in any situation, not just on the Android marketplace :-)
Sadly, most of the rest of humanity, seem to have very little interest in the source code behind the software they use.
"Sadly, most of the rest of humanity, seem to have very little interest in the source code behind the software they use."
Whilst I agree with you regarding open source, most of humanity doesn't have a clue what source code is, and wouldn't understand the, what would be to them gobbledygook, should they view the code anyway. And how many of them would be able to interpret and correct compilation errors? The majority of humanity are consumers, not coders or IT experts.
Google need to vet applications before making them available for public download. Yes, this takes time and effort and as a result has a financial impact. But it's not like Google are struggling for funds.
I do trust open source software above closed and proprietary code, as should the rest of humanity. And whilst the Apple way of controlling applications is extreme, it does have it's merits, such as the trust of the consumer.
Its much "easier", PR wise, to undo a hightened level of security (like Apple's) then it is to add it after the event (like Google) .. it is also an easier positive spin to say that things are now better due to streamlining/automation of the approval process.
Apple have a wildly successful marketplace for apps, so they can stay very tight for much longer ... for the majority of users (who just want things to work and don't care about developer angst 8-) this is a good thing.
Personally I would rather see Apple come up with a neat way of allowing background apps on iPhone OSX (some form of user controlled scheduler and auto-kill when too much resource is used, would be good) then to worry about wholesale changes in their approval process.
If I want to have open development on a smartphone then I would not pick Android, I'd go for Nokia's Maemo platform instead (niche and may fold but worth playing with - the N900 is nice but would be much better if cheaper). If I want to make money from the smartphone market I'll stick with Apple.
A malware app for the perpose for phising was released today for windows 7. It begs the question of how long until Microsoft closes the windows platform to all apps that have not been past an apple-appstore-style review before permitting them to run on PCs.
(seriously let's toss out the baby with the bathwater!)
The obvious solution to the locked/not locked dilemma would be to provide a highly restrictive app store through a mechanism that could be pointed to another app store if the user wishes, with suitable warnings about doing so. Anyone who just wants to feel safe and doesn't care about the implications of that level of control by the 'phone's vendor could stick with the default settings and it would be just like an iPhone.
Access to a store would be through a well documented scheme and the use of old schemes to connect would always be supported, possibly with scary warnings attached.
They could use the MS tactic of filtering out people who will complain later if it goes wrong: "Our preferred option (Recommended), Other (Advanced)"
It's kind of like jailbreaking only without the need for, erm, jailbreaking and officially supported.
Sign up, sign up for The Register's weekly IT security newsletter - click here
