Trend Micro is reporting a Chinese Android malware that operates partly under the command and control of a blog. The ANDROIDOS_ANSERVERBOT.A malware is disguised as an e-book reader offered on a third-party Chinese app store. It uses two command and control servers, one of them served out of a blog with encrypted posts. Posts to …
This is just a trojan, installed by the user ignoring all security warnings. If someone has a solution for PBKAC -Other than eugenics (which is immoral and takes far too long ;-) this is a good moment for making it public.
I never ignore the security warnings
That's why I've had my android phone for 3 months and I've only downloaded 1 app. Every app I look at seems to want more permissions than it needs. So unless android authors start to reign in their requirements this problem is going to get worse as people either get conditioned to ignoring massive lists of permissions or just stop downloading apps.
Recommend LBE Privacy to control what apps can/cannot do
The challenge is
To educate the mass market why one app should and another app should gain access to the rights when asked. Most 'normal' users that I know, i.e. those not working in IT, just find that screen a nuisance and automatically click through. One shouldn't present geeky stuff like that to the masses and some trusted vetting on apps is very much needed.
I don't even let facebook access my SMSs, on the grounds that they don't need that permission in order to provide their advertised functionality. Why would anyone allow an ereader to do more than access the web and filesystem?
Because they don't understand the risks? Because the message is badly worded? Because they think the app is from someone they trust? Because all their friends have the app and they want it too? Those are just 4 off the top of my head. I agree than people are the weak link in the chain, but that's just the way consumers are. If your market place is full of malware and competing markets aren't then eventually you're going to lose customers...
The message in the market app on the phone is displayed before you can install the app or the upgrade. It is along the lines of
Allow this application to access: Services which cost you money - Send SMS messages.
The message in the web market place is even clearer.
What is malware? If the iphone allows apps to integrate into services like sms then apps which don't require this for their advertised functionality could still demand it as a condition of installing, and then you would enable what you call malware. If it doesn't allow such integration whist competing platforms do then it will lose customers. Giving permissions to criminals is not restricted to non-apple users, surely?
You asked why people might ignore warnings, I suggested a number of reasons. Your reply to those reasons is to state that the messages are clear. That doesn't refute the fact that people will ignore them.
A better system would be to warn the user when the app attempts to use the permission ("Cool screensaver app is attempting to send an sms. Allow once, allow always, deny once, deny always?) This puts the user in control, but can be seen as a bit crap from a user experience point of view. Still, I'd rather be inconvenienced by dialogues than ripped off by scammers....
I believe criminals also find it more difficult to get their apps into apple's app store than into the Android store. But I might be wrong there, just never heard anyone moan about how long the android approval process is taking...
The fact that the messages is clear is a reply to one of your reasons, not all of them.
Maybe Apple has the right model to follow.
Problem is that some seemingly "safe" apps ask for the same wide permissions ... I'm fairly sure that Google Tracks or Maps asks for similar - I was certainly surprised that one of the Google apps was asking for permission to make calls but its possible that that may be to enable you to find a location (e.g. a restaurant) on a map and phone it directly. As a result its sometimes difficult to work out why an app is requesting certain permissions.
Possibly a solution would be to require apps to state the reasons why they need each of the permissions which you could browse before deciding to accept/decline the install ... clearly this is not 100% foolproof but migh give some guidance.
Some apps do state the reasons they require certain permissions. As a rule of thumb I don't use any which request unlikely permissions without giving a reason. If they are forced to give a reason they might just put useless stuff like "to enhance your experience". If it's anything like an EULA, the more words there are in the permissions section the less people are likely to read it.
Android security has been increasingly under a cloud?
Malware stored on a third party site does not impinge on the Android security. A worm burrowing its way onto your Android without user interaction would be of concern. There is no protection against the end user clicking and installing malware.
There's a real opportunity here for somebody like HTC or Samsung to step up to the plate and launch their own version of the app market.
Apps would be vetted and certified as safe, users sleep better and HTC/Samsung open up a new revenue stream and start making money from more than just the hardware.
On a 3rd party Chinese app store.
Take that to read, NOT AVAILABLE IN THE MARKET, dumbasses. Its not like you're auntie is going to download this thing.
Its kind of like me saying your mom is a slut because she caught syphilis after I injected her with it.
Pretty sure this is one I have installed...
I have this reader here : https://market.android.com/details?id=com.chaozh.iReaderFree&hl=en
It was a nice little reader - even if more involved with updates for chinese character support.
However the latest version demands SMS sending, change wifi state, location, and the ability to change your APN - I immediately thought that was dodgy and didn't update. Glad to see I was right.
Anyone recommend an ebook reader that can actually read txt files instead of only mobi and epub?
Try Endless Reader
Its free and has no special permissions or ads. I haven't been able to find anything that does all formats so I switch between this and FB reader
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- OnePlus One cut-price Android phone on sale to all... for 1 HOUR
- UNIX greybeards threaten Debian fork over systemd plan
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know