Developers of the SpyEye banking trojan have started bundling it with malware for phones running Google's Android operating system to intercept text messages many financial institutions use to prevent fraud, researchers said. The trojan known as Spitmo is SpyEye's first in-the-wild malware to target Android, Ayelet Heyman, a …
It's worrying the number of app's in the unpoliced droid market place that have all kinds of funky permissions, as in really funky why would a RSS reader need access to my phone call and contacts? Why would that chess application want access to email.
I got a £10 payment card so I could buy some android apps and games, but everytime I see something I want I get to the install screen and it asks for permissions it doesn't seem to need. Consequently I've brought one app in the 2 months I've had the phone.
Why can't I buy and install the apps then deny permissions I don't want it to have at run time?
There are apps for rooted devices that allow you to restrict permissions. i.e. you can install an app that asks permission to access your address book, but it won't be able to when it tries. This will cause some apps to force-close, however.
IMHO, this facility should be a basic feature of Android, and developers should code their apps such that they don't die when told to feck off when asking for a permission.
Ideally a clean Android device should ask permission the first time an app asks for certain sensitive permissions (address book, things that cost money, SMS, location, etc). Users should be given a choice of "always allow", "never allow" or "always ask".
With regard to permissions look at this lot:
Your personal information
Services that cost you money
Now, what do you think would need all of those? Eh?
HTC's battery widget, that's what. And, because its installed from the "HTC Hub" app, you don't get to see these unless you happen to browse the app in the Manage Applications settings screen.
RE: Why can't I buy and install the apps then deny permissions I don't want it to have at run time?
Is that not the case? Wow, then it's a "dead OS" phone for me until Apple stop being up their own arse and Google sort their shit out.
Only allowing install if permission to texts, phonebook or whatever is given is brain dead. Even my "shitty old" Symbian asks me each time access is requested if I want it to.
I hate to say this
Because competition is good.
But if this continues any IT professional worth their salt will be recommending to their non-IT literate friends and Rellies that they avoid android or will be at least loading an AV app for them.
If only to avoid the inevitable support calls!
Alternatively this is another great opportunity for Amazon to differentiate themselves. Imagine them advertising that their App store is malware free and locking the "kindle pad" to it.
You would have thought so...
but if recent history is anything to go by IT professional seem to prefer systems that are insecure and require plenty of support and configuration.
Security issues such as stated in this article almost guarantee mainstream Android adoption into enterprise IT. BlackBerry and iOS are a little to stable for comfort.
IT professionals bosses prefer systems as you described.
And that's why everyone should install DroidWall. About every app out there asks for internet access, while many do not need it (e.g. games).
With DroidWall, you can simply install these apps without giving them internet access. Without internet access, they have no way of sending their silly data back to their silly writers.
Malware will just use an SMS instead if they find that Internet access is blocked.
We really need fine-grained allow/deny controls that come with some sensible defaults to discourage developers to ask for everything as if they ask for everything they'd have to explain to the user that they need to go through ticking boxes and then they might also need to explain why (our shooty game will not run unless you allow us to access your phone number, GPS, and Internet because we sell your data on to the highest bidder).
The closest is Symbian, but that's not shiney and new so I suppose it doesn't count. It still pops up a dialog asking me if I want to allow the app to access the Internet though.
LBE Privacy Guard
is a godsend. I have maybe 100 or so aps on my phone but very few get all of the rights they wish. Pretty much all of them continue to work.
IMHO LBE is better than DroidWall
as it prevents other types of access from apps like the ability to send SMS, look at contacts, retrieve your IMEI or mobile number etc. After it has been installed it will then ask you to set the permissions for any newly downloaded app. For any existing app it defaults to asking the question when access to sensitive stuff is required.
DroidWall is more granular is what it will / will not allow in networking terms (wireless / 3G) - LBE just allows it or not.
Cheers, giving it a whirl now. Quite an eye-opener to see what permissions some apps are requesting... a few minutes clicking deny felt strangely satisfying.
...that banks are sending security information to smartphones.
These are devices where the end-user can download "apps" and give them full privileges. *Of course* they are going to be targetted by the bad guys. In other news, the last twenty years called. They want their woeful record on PC security back.
Only install from the Android Market & go through the permissions discreetly
Only install from the Android Market. Before installing, look for the permissions it requires. If the permissions being sought are inconsistent or over & beyond the functional requirements of the App, just don't install it. With Android, at least you know what is being accessed by an App but with any other OS you can never be sure, unless some researcher points it out. However, Google needs to monitor the Apps' permissions more discreetly.
Just curious. Has any Android malware been found that exploits the fact that the app it's disguised as actually has a legitimate use for whatever service(s) it happens to need to do its nefarious business? What about bait-and-switches where apps that begin legitimate (and have the appropriate permissions for valid reasons) are later updated into malware but with no permissions change?