Feeds

back to article Android malware attacks show perils of Google openness

This week's discovery of malware that hijacked tens of thousands of Android cellphones shows the pitfalls of Google's decision to make the operating system the Wikipedia of mobile platforms that offers apps written by virtually anyone. A couple years ago, the choice helped the OS gain traction against Apple's more entrenched …

COMMENTS

This topic is closed for new posts.

Page:

Pirate

VIrus/malware checkers

So are there no virus checkers/malware shields available on android? I would have thought the AVG et al would be jumping into this new market...

2
0
Anonymous Coward

RE: VIrus/malware checkers

AVG is available on Android, as I believe are a couple of others.

I think the article was more about the lack of vetting controls of Apps before they are published rather than the issue of AV/Malware checking after they are published.

0
0
FAIL

#Error: Titles lead to misrepresentation

AVG is already on the android market

1
2
Silver badge

Yes there are and yes they are

I downloaded the free AVG antivirus app from the Android Market after reading a review of three different ones. Try typing 'Android antivirus' into a search engine.

0
0
Anonymous Coward

Openness

If his is the cost of "OPENNESS" than so be it! Otherwise there is no Liberty and Justice for all.

8
7
Silver badge

@AC, Openness

Yeah right*. Try telling that to the non-technical majority who don't know what you're on about but do worry that their bank details might have been compromised and their accounts emptied.

Openness is fine so long as there's a quick way to propogate updates. Google forgot that part completely. As Android currently stands virus writers can have a field day because it takes far too long (if it ever happens at all) for customer's handsets to get updated.

*apologies if you were being ironic...

8
4
Anonymous Coward

RE: @AC, Openness

Umm, there is a quick way to update Android phones, and Google have done several times since I have had mine.

I don't think this is so much an issue of patching exploits, although that is something thats needs to happen on any plaform. But, with Google, it's the fact there are no controls or vetting on what an developer may publish or much in the way of controls on that App once published.

This then allows Developers to use valid functionaility of Android for dubious purposes. In much the same way for example, I could write a Windows app to plug into Outlook and send all the users contacts back to a website - it's not using any exploit other than user trust in that application.

With windows now however, there are now a host of controls in place that would alert the user something is not right. So for example, Outlook would flash up that the app is trying to access my contacts and the firewall will alert me that the app is trying to make an external connection. If that app was not meant to have anything to do with that, I would be concerned and click no. And indeed such an app would be quickly marked as malware and picked up by AV programs.

With Apple, that app would never make it to market in the first place.

With Google, it would, and once the users has clicked 'Accept' before install, that app is free to do what it wants. Plus AV is in it's infancy and rarely used.

I for example, I am very dubious of many applications - why for example do so many games need access to my address book and call history for example? They don't, but my wife will happy click Accept to install them without even noticing this. User trust duly exploited and no further controls in the way!

2
0
Go

Damn You

I'm pretty stoically pro-android (to be more precise, I'm Anti-apple and a bit "meh" re: WinPhone7)

That said, much as I'd like to disagree, those are all very valid points and I congratulate you for a sensible, balanced comment.

Perhaps the real compromise would be: Start vetting the app store but leave the "Can install from untrusted source option". That way, if I want to go and install Dodgyware(TM), I can do so - but only after I've made an explicit decision to accept risk.

I also feel compelled to point out that even though a vetting process improves security, it doesn't guarantee it - so I think all the app stores (Android/Apple/WP7) are giving a false sense of security to greater or lesser degrees

1
0
Paris Hilton

what?

Clearly we have all forgotten that there was a similar issue with the Apple app store. This issue will exist regardless of the ecosystem in which the platforms attempt to foster. If someone wishes to be malicious they will be, it is just that simple. As with any new system it will take time for vendors and applications to gain traction and for reputation or companies and developers to build.

I will however agree with you on the updates. Androids biggest issue here is the lag time between vendors redoing versions to fit their own customizations and the updates which are required in core. That element of the Android operating system needs to be seriously modified.

Paris because she knows a thing or two about taking precautions to avoid infections.

1
1
Terminator

Agreed

Simple way to sneak a malicious app into the Apple Store: have it wait 30 days or so before it starts behaving maliciously. Will give the "legit app" part of the app time enough to be vetted, and also obscure which installed app caused the infection.

I agree with the Android fragmentation view. The one thing iOS has going for it is the enforced updates to the latest version (at least until the 3G and less got booted out, but that's likely due to handset capabilities and thus understandable). Honestly, since handset makers practically abandon their models after a month, there should be a "defaults to Google" function in there that allows Google to push over-the-air updates for these abandoned phones.

/Terminator, for lack of an Android icon.

2
0

Heavy handed or curated?

The heavy-handed control of the App Store is not to the consumer but to the programmers. Apple puts specific limits on programming techniques used (no hidden APIs for example) on programs submitted tot he App Store. They also put some odd limits of content (no SouthPark? Seriously?) but in all, the over-whelming majority of content is available to the users of the platform. Likewise, you do not get the feeling of shopping in back alley ways in seedy parts of town. Copyright infringement that is rampant within the Market Place is almost non-existant on the App Store.

Not bad for being just 4 months older than the Market Place. 2X the Apps. 17X the revenue to developers. 3X the download rates. There are many different browsers in the App Store. Different music sources. NetFlix and Hulu both that are unworkable in Android due to their reliance on Flash.

16
15
Thumb Up

Curated, any time

StevenN hit the nail on the head, as demonstrated by the number of downvotes. I'll take the curated App Store over the shambolic Market any day.

8
5
Coat

How does your light shine...

...on the road to Sham-ba-la?

Sorry, couldn't help it. I'll be going now.

1
0
Unhappy

No SouthPark

Because they are Nazi's that can't take any criticism.

I wonder how many other apple Critics are banned from their marketplace?

Futurama sure portrayed the evil of Apple and the lemming nature of their customers well....

4
0
Flame

idiots are the bigger problem

People have a device that contains some of their most sensitive data and important info and then they install apps without ever checking permissions. The lack of judgement is the bigger issue. It's like the guy who complains his PC got hacked and lost his personal info and pictures after trying to download warez/porn.

No one promised Android or iOS would be malware free, so people need to actually use their brain.

/rant

11
8
Silver badge

So badly wrong

More so even than their PC people expect their phones to just work. If Android has any expectation of long term success google need to get a handle on this malware problem quickly.

Imagine the legitimate fear either MS or Apple or just public perception could generate if this problem becomes common place on Android.

You should not need anything more than basic web common sense to safely use a smartphone.

It is not the same situation as PC's by a long way.

7
4
Anonymous Coward

Most people aren't security experts

We're not talking about someone browsing into dodgy websites and downloading stuff they know should full well should be payed for.

This is customers going to a legitimate, advertised marketplace, run by a large, respected company, finding products that look authentic in *every* respect, and purchasing/downloading from a source they perceive to be on the level. You call these people 'idiots', but how are they to know? It's run by Google. It's sitting on the shelf next to a host of genuine products. There is nothing that would provide a hint that the software is shady.

These trojans would have run for much longer except for the fact that someone with real expertise became suspicious and was able to confirm the problem. There are very few people who can do that. It isn't fair to shift the blame onto the vast majority who do not have this expertise. This problem is endemic to the Google Market - if they continue to allow it to run like this, a lot of people will get burnt. It's a sitting duck.

9
1
Anonymous Coward

@Rolandct

How can you really blame the users on this? The mobile app market is such that when you want an app - you go to the appropriate marketplace and download the app(s) you want. Hate Apple or despise Apple, the iTunes model is the one that normal people want.

Google are the ones completely to blame here - it is analogous to the FSA "approving" a loan firm simply on receipt of £25 and then you blaming the punters who went for an FSA approved loans company and ended up with 20000% apr from Honest Tony's MafiaLoans company. Google should either vet the apps they approve or refuse to approve apps and make it clear that have done so.

Remember, this is not about people downloading android apps from nakedbrittney.ru this is about people buying apps from the official phone OS manufacturer's marketplace: as seen from the article where it clearly states: "The recent discovery of some 55 malware-tainted apps available in the Android Market "

9
2

@Rolandct

Did you miss the part about the malware masquerading as legitimate applications? The authors took some real applications that people have been purchasing or downloading, re-packaged them with the trojan, and deployed them to the market place posing as the originals.

The users didn't necessarily lack judgement in installing apps "without ever checking permissions," they perhaps gave acceptable permissions for the app they *thought* they had downloaded.

I agree with you that users should exercise caution when browsing the open Web, and especially when downloading files from shady sites. However, in this case, the article is implying that the users had no reasonable way of knowing.

-dZ.

2
1
Silver badge

@Rolandct

Actually, His Stevieness has long stated that the reason for the purpose for the walled garden is to stop this kind of problem.

4
2

fail

Or use the App Store or Windows Phone or Blackberry markets that actually vet developers and you can't upload any rubbish you want. When you go to the official market store and download an app you expect not to steal your details at least. This is not like some pc virus and you can't afford to have an antivirus running on a mobile!

0
1
Silver badge

Most of the early malware on PCs masqueraded as legitimate applications.

We're not talking drive by malware on smartphones yet. The day will come, and the iPhone will be just as hacked as the rest of them are when it does.

2
0

When traveling abroad.

This situation is analogous to some who lives in a secure country.

They decide to travel somewhere unknown.

They visit a place during the day that is beautiful and pleasant.

That night they return only to find, after dark, it not a good place to be.

Exploration outside a secure environment will never be absolutely safe.

As as it turns out to be, even in a perceived secure environment, IE Windows, stuff happens.

Google should just write the code that watches a "clean room/honeypot" phone with each program before it is accepted for each application.

Not a fun job, but worth their time.

0
0
Anonymous Coward

It is not the openness that is to blame here...

The openness as in Open Source is not to blame here. By this the author of this article are completely wrong and/or misinformed. Although that Android have a linux core, in essence the OS is very little as linux. Android contains mainly of Java. It's aspiration to be as userfriendly as possible are the problem. It is more similar to windows in that aspect. And that is what's to blame!

On a normal linux system the virus would need to ask the user for a password. And do that everytime it would like to do something.. like change a file in the root system.

I am not saying that linux is free of viruses.. it is not. It has a couple of them. It is just a lot more difficult to make a virus for the linux system. Especially a virus that can hurt. A virus might be able to change one file or so.. but after that the system would stop it. Let alone spread to someone els. Of course if the user don't do anything stupid will say.

I am not sure but believe a more linux like system as the Meego one might be a safer bet. It is also more Open Sourced than Android is.

7
4

no java here

Android apps compile to davlik byte code and are executed on a 'linux' system. Java is just the starting language, android doesn't contain a java runtime.

If I'm reading the article correctly we're talking about root exploits - which wouldn't requires passwords. Typically they require patches to fix, and provided they aren't day0 then one would imagine it should be possible to scan for attack signatures...

0
0

@AC

Oh, chill out, man. Nobody mentioned Open Source. The article doesn't even capitalize the word "open" to give it special meaning. It is not even talking about Linux nor any issue inherent in the software. It refers to the "openness" of the shop's *ecosystem* itself: a market place where anybody can sell anything, without artificial constraints such as a centralized curating body.

Jeez! Take that chip off your shoulder and try to to follow context.

-dZ.

7
1
Bronze badge
Thumb Up

@DZ-jay

> Jeez! Take that chip off your shoulder and try to to follow context.

Loved it!

0
0

Certification

Google should start a certification program, where developers would pay a fee to see their apps reviewed and certified as "not malware".

People would still be able to install whatever app they choose, but if it is not certified, they would know that they are on their own.

18
1
Anonymous Coward

Timely

>“The openness of the platform..... [etc] Vanja Svajcer wrote on Sophos's Naked Security blog.

And just a couple of weeks after they announced Sophos Mobile Control­ for Android.

2
0
Pint

Life worth living?

I'd rather peruse in Google's proverbial New York city rather than Jobs' solitary confinement complete with straight jacket.

It's Friday, I want a beer.

11
9
Silver badge

Yes but..

Posters on the Reg are not representative of the general public.

In genral most would rather to a mall than a fleamarket.

4
1

That would be NYC at night

Bad things can happen at night.

0
0

This post has been deleted by a moderator

Alert

It was only a matter of time

I was wondering how long it would take for this to start happening.

Sure Android is open and fun but for businesses and serious users who do banking and most other things on their phones these days the Apple App Store is the safest as far as Im concerned.

17
18
Silver badge

He has a point

Lot of fanboi's on the down vote.

Truth hurts.

6
6
Silver badge
Thumb Up

@wathend

Yes, I agree completely with you. It was indeed only a matter of time. Google's naivety has been truly staggering.

Open source 'works' because anyone can review code, find bugs and issue fixes which people can adopt. By that mechanism problems are found, dealt with, and everything improves surprisingly quickly.

The bit Google forgot about was the "fix adoption" part. The likelihood of the latest Android updates actually being rolled out to user's mobiles by networks is effectively nill. If they do roll out an update it's nearly always months behind the release date, during which time the virus writers have had a field day. And there will always be vulnerabilities in the latest version. People are buying phones probably with security bugs in them knowing that they will almost certainly never get fixed during the two year contract they've just signed up to (or whatever).

Updates are a necessity that Apple, Microsoft, RIM and Nokia have recognised. Microsoft's less than perfect update the other day certainly tarnished their reputation, and they need to get the next one very right indeed. Apple have the occassional update woopsie, but then again product faults in the Apple market seem to make no difference anyway.

The reporter wrote:

"The episode demonstrates the ugly predicament confronting consumers of smartphone apps..."

and then completely failed to mention BlackBerry. RIM are becoming interesting - very much a closed shop (it's all theirs), there's the BlackBerry World App Store, and a robust reputation for security. Dismissed by many as a businessman's phone with nothing exciting at all, it is often forgotten about. Yet the Torch is getting pretty good reviews, there's quite a lot of apps for it, etc. I got one only after stumbling across it whilst shopping round. It's close to being a complete Apple alternative without Apple's restrictive zeal, but without the problems of Android and Microsoft. If you can't stand Apple then it's almost the perfect phone.

Getting back to this Android virus problem. I wonder how much trouble there's going to be for the manufacturers that have backed Android as their only option? This sort of problem could be a company killer if the world population suddenly decides they don't want Android at all. For Windows desktop MS had a monopoly (in effect) which bought them time to get serious about improving Window's security. Google doesn't have that luxury - people can and probably will stop buying it just like that if it gets a bad reputation.

4
2
Silver badge

As evidenced by the flashlight-cum-tethering app...

Apple don't do a complete code audit of every app in their store. What's to stop a similarly spiked app with a rootkit on board making it in? Only one hardware platform to figure out how to root, too.

Well, unless it gets banned for not having a convincingly wet sound to the farts available, or something.

5
2
Anonymous Coward

Anything you carry around

that is likely to be used in full view of muggers as you walk down street - is it really safe to do banking etc. irrespective of software used?

Personally I suspect one of the major problems is people install too many things they'd never use after 5 mins - like rubbish cover disks were a major issue for Dos/Windows back in 90s

1
0
Anonymous Coward

Wow

I don't want you anywhere near my network if that's your attitude to security.

1
0
Thumb Down

iPhone with the giant pdf jailbreak?

Oh yes that'll be apples secure ecosystem that allowed iPhones in physical apple stores to be jailbroken (root code exploit) by visiting a simple website?

-

As for other "secure" and "business" phones anecdotally Ive only ever seen one smartphone dead by virus and that was a blackberry, what evidence is there that proportionally Apple and RIM arent offering less secure ecosystems?

1
0
Silver badge
FAIL

Open testing required

Android can probably make a virtue out of this by implementing some kind of testing infrastructure that checks applications automatically. An open process should allow best practice to be implemented quickly. We can only guess that Apple tests as much for non-Apple backdoors as they do for unsuitable content or stuff the just don't like.

1
0
Pint

Security is the users responsibility

If you go around installing software from an unknown developer, with no antimalware software and a pile of personal information stored in the device you deserve your infected phone.

Seriously if you are expecting your phone's OS to defend it against yourself then you really shouldn't have your phone.

Anyway is it time to goto the pub yet???

4
10
Silver badge

A very peculiar analysis indeed

"...the Wikipedia of mobile platforms that offers apps written by virtually anyone".

So you think Windows would be more secure and reliable if only a few selected providers were allowed to write apps for it?

Hasn't it occurred to you that it's Windows itself that is radically insecure and unstable?

(Incidentally, I have found Wikipedia to be a pretty reliable source in general, and what's more one that supplies far, far more useful information than any other readily-available single source).

5
3

@Tom Welsh

I'm curious regarding your comments on Wikipedia. Whenever I need to consult an encyclopaedia, it is to research information for topics I'm either unfamiliar with, or not fully experienced on. How would I know if an article in Wikipedia is accurate if by definition I am not qualified to make this assessment?

On the other hand, if I am knowledgeable on a particular topic, I could accurately determine and gauge the validity of the content; but then, why am I looking it up on Wikipedia if I'm already an authority on it?

It's an honest question, not an attempt to troll. This goes to the root of my trepidation of using Wikipedia for anything else than trivia look-ups.

-dZ.

2
0
Thumb Up

@dZ

Quite often I feel you're just trolling or strongly disagree with you, but I generally agree with everything you've said in this thread.

For Wikipedia you should just treat it like any other source and judge it on its relative merits. When we were kids we used to just accept everything in books, but most of us (I'd guess that this would be more true of people in professional jobs and, naturally, academia) now realise that books tell big fat lies some of the time, and quote hearsay a lot of the time. Realistically any book which suggests it is in any way factual, or Wikipedia, should be judged on the quality of its references and not on suspicion about whether the article is legitimate or not, or perceived authority. If I am actually trying to learn something on Wikipedia there are some things which really don't need to be checked up on (maths is a particularly obvious one) and some topics where it's important to check the references and make sure they're legitimate and say what the article author is saying they do.

Of course, this doesn't matter if you're just bored and browsing information, because people don't tend to lie about the mundane stuff.

"Whenever I need to consult an encyclopaedia, it is to research information for topics I'm either unfamiliar with, or not fully experienced on. How would I know if an article in Wikipedia is accurate if by definition I am not qualified to make this assessment?"

The real question is, how do you know if an article in anything is accurate? Then just apply the same techniques to Wikipedia. Here's something fun, Wikipedia submitted errors in the EB, how do you assess their validity?

http://en.wikipedia.org/wiki/Wikipedia:Errors_in_the_Encyclop%C3%A6dia_Britannica_that_have_been_corrected_in_Wikipedia

1
0

replace wikipedia with encyclopaedia Britannica

Erm if you replace wikipedia with encyclopaedia Britannica in your comment what changes?

0
0

@stewski

>> "Erm if you replace wikipedia with encyclopaedia Britannica in your comment what changes?"

I know that this is the standard retort, but consider that Britannica, as a private corporation intent on making profits and surviving, has it on its best interest to hire subject matter experts with sufficient experience. In fact, historically it has been trusted to do so.

Wikipedia on the other hand, has little barrier to entry. Yes, subject matter experts can write an article, but so can any ol' Tom, Dick and Harry off the Interwebz.

It is ultimately a matter of public trust, of course; and I will posit that trust is rarely engendered by lowering or even removing the barriers to participation.

-dZ.

0
0

This post has been deleted by its author

What firewall?

I'm not sure what firewall you are on about, has ubuntu changed and started running a bundle of crazy network aware services on install and putting up an inadequate software firewall, oh wait no thats the other peoples OS...

0
0
Coat

What does openness mean to you?

The discussion on whether open is good or bad is irrelevant. The problem is that the masses have lost the ability to think for themselves. If we take this as a differenciator we find that those people who would rather want the manufactorer of their mobile device to be in control are simply giving up their ability to make decisions by trusting who they consider an "expert".

On the flip side it is not easy to know who to trust. If someone can convince the masses that they have built a application store that can be trusted (good marketing always wins the masses for reference check the status of the food industry) then that individual / organization can take control of user's free choice.

What we are likely to see here is "safe" markets appear for android. Which means that organizations will create processes where they vet apps and certify them as fit for purpose or "safe". I say that in quotes because you can never really be 100% safe. There are always updates, glitches and bugs to deal with. How do you think the iPhone got jail broken. All it requires is that a user trust an app they downloaded and it can replace the OS on the device!

Bottom line is that if you try to make something fool proof you just end up making better fools. This is an old quote and people should be pretty familiar with it. I personally prefer openness. I like choice. What Android means to me is that I have a choice on which hardware I want (small screen or large? real keyboard or virtual? SD cards or no extra storage, flash or no flash, etc.....)

I also get a choice on who I trust to write software for me.

If I use my device for business / productivity then I would not download and install fart apps willy nilly. I have to have some sense. Therefore when the previous poster @wathend says:

"Sure Android is open and fun but for businesses and serious users who do banking and most other things on their phones these days the Apple App Store is the safest as far as Im concerned."

I feel that the point is being missed. If you need safety and you have sensitive data on your device then BE CAREFULL AND DON'T DO ANYTHING RISKY.

I have a daughter and I am very careful on making sure the environment she lives in. I don't control what she does, I make sure that the things around her are safe for her to deal with. This is the mentality most users of computers have not entered where they are the children and the software/hardware manufacturers are parents. Get over it. If you are an adult then take adult decisions on what to do. Learn to understand what trust is, how to build it / give it to others.

Disclaimer: I have an iPhone 3G but I will not be upgrading. I am also a developer and have been developing for over 10 years.

Here is a quote:

Any fool can make a rule, and any fool will mind it.

Henry David Thoreau

Source: http://www.brainyquote.com/quotes/keywords/fool.html#ixzz1FcYTWBvl

4
0

Page:

This topic is closed for new posts.