Feeds

back to article Malicious apps infiltrate Google's Android Market

Google security crews have tossed at least a dozen smartphone games out of the Android Market after discovering they contained secret code that caused owners to accrue expensive charges for text messages sent to premium numbers. The malicious apps, uploaded to the Google-hosted service by a developer named Logastrod, …

COMMENTS

This topic is closed for new posts.

Page:

Does anyone else remember

in the early days of Apple's app store, Apple pulled an app from the market and disabled it? There was much hue and cry about Apple overstepping their bounds, but Apple said the mechanism was put in place originally with the idea of stopping malicious code that made it through. It made sense then, and it does now, as well. I wonder if the diverse Android marketplace might have just shown a flaw. (Not that I'm saying Apple's approach is perfect, of course.)

4
1
Boffin

Of flaws and men

In that particular aspect, Google is even more invasive that Apple, as far as I know. It can not only delete from your phone an app that you have installed from the official Android Market, but it can also force the installation on your phone of an app residing on this Market without your consent. Thank goodness, the removal works only for apps from the official Android Market - not just for anything that you have installed on your phone.

As far as we know, Apple at least can't force-feed you apps. Of course, maybe they can and we just don't know it yet...

Of course, there is a bright side to the force-feeding, too. One of the security companies, Lookout, has a product, called Plan B, which makes use of this "feature". Suppose you've lost your Android phone without taking any measures to protect it - like installing some security software on it. Then you can force-feed it Lookout's Plan B (all you need is the Gmail credentials for accessing the Android Market with that particular phone) and then lock it, locate it, wipe it, etc.

Correspondingly, the dark side is that if a malicious app makes it into the Android Market, anybody who can steal your Gmail credentials for your phone can force this malicious app to be installed on your phone without your consent.

1
0
Silver badge

So google have found a malicious app and... deleted it? While the article doesn't make it clear, I assume this also means it's been remotely nuked by Google's equally notorious kill switch. The only difference I see here is that Google have brought the Mighty Foot down on some malware, whereas Apple are likely to ban you for far more petty means even if they don't outright kill all trace of your app.

People do need to stop requesting silly permissions to throw birds at pigs or unravel a loo roll though.

2
0
Anonymous Coward

Ha-haw!

For all the bitching and kvetching about iOS's "Walled Garden" app store, I've yet to see the iOS version of this article.

7
17
Mushroom

Here you go

http://www.theregister.co.uk/2011/11/08/apple_excommunicates_charlie_miller/

And that was in the app store for 2 months

14
4
Silver badge
FAIL

anonitard

Why are the itards so often anonymous, and why are they so often ignorant?

8
5
Joke

You've really got a problem with them being anonymous haven't you. What are you planning on doing, asking one of them out?

9
4
Silver badge

No and no.

1
1
Silver badge
Joke

No...

...he thinks that he is in the same league as Prince, Elvis and madonna in that he is not annoymous by using a mono-name

Here he is in action.

http://www.youtube.com/watch?v=768RuCh-meA&noredirect=1

0
0
Anonymous Coward

Ignorant? That's rich!

Not this again Craigness. If it's not this, it's erroneously chiding people for using apostrophes. Spend a little less time here whining about anonymity (If you going to do that at least have the bollocks to use your given name - as explained to you before a pseudonym is at least as anonymous), and a bit more time actually proffering cogent counterpoints without resorting to language pedancey, especially when you have a propensity for getting it wrong.

0
4
Bronze badge
Facepalm

@Doogie1

Joke or not, how old are you? Does your Mum know you've been using her PC?

2
3
Silver badge
FAIL

a pseudonym is at least as anonymous?

If there was only one person allowed to post on here anonymously that would be true. But it's not, Anonymous coward refers to loads of people, Craigness refers to one user. You might not be able to point them out in the street, but you can easily see all the posts by that user. So quite different to posting anonymously...

1
0
Silver badge
FAIL

Can anyone answer the question I originally posted?

Please learn the difference between anonymous and pseudonymous. There is one, which is why you recognise me. It's also why Barry Shitpeas gets trolled by editorial staff while the anonymous itards do not. But why is anonymity so common among itards and not among other groups?

Prince, Madonna and Elvis all used their given names.

1
0
Silver badge
Headmaster

@AnotherNarcissist

"as explained to you before a pseudonym is at least as anonymous"

Sorry to have to be a pedant here, but this statement is incorrect. In using a pseudonym, the use can be associated with all of the posts that they have made. By posting anonymously, they cannot, as they cannot (except presumably by the mods) be distinguished from other ACs.

I think that Craigness has a point, posts made as AC do tend to have a higher chance of being inaccurate, wrong, or just plain trolls. In this case, a Jobsian fanatic claiming that such a thing would never happen with the glorious iProducts, when in fact it already has.

1
1

doogie1

@The Fuzzy Wotnot Why do you want to know how old I am? Are you planning.....no it wouldn't be so funny the second time.

0
1
Anonymous Coward

Right. I totally accept the reasoning *why* you think AC posts are, well, cowardly, however the ivory tower from which you castigate these cowards is shakey, to the extent that you don't really have a moral high ground at all. Their points are no less valid and certainly no more idiotic than those that use pseudonyms. We see utterly ridiculous posts made by people that use their given names daily and as many by those who hide be^h^h^h^h^h^h^h use pseudonyms (more on Barry in a bit). You still hide behind a veil of pseudonymity to get away with being a bit of a dick about things without any real fear of being called out on it in "real life". I doubt you'd have the brass cojones to speak to anyone out there the way that you do here, but that's a whole other thing.

The editors here make it very clear that it's their house and their rules and if *they* want to troll and ridicule you, then they will. Pisses me off too sometimes, but it's the reason that you and I come back everyday. Frankly, if you don't like it, you know what to do.

On to out mutual friend Barrington. He gets trolled because he is a ridiculous fandroid. So ridiculous in fact that even the frutiest of Apple fanbois looks rational next to him. End of. Take his post in this very thread. If an AC had posted what he had posted about Apple, the abuse from the super-team-fandroids would have been monstrous. I know that you feel aggrieved on his behalf (statutory "diddums"), but he gives as good as he gets. I often read his musings with wonderment; surely they are a joke? Surely those with a preference for Android find them embarrassing? I know some of the pro-iOS stuff makes me wince from time to time.

Lastly, this isn't really a 'war' and picking which vacuous corporate entity you support does not give you an 'identity' and if it does you've got bigger problems, it makes you look like a chump. It's perfectly acceptable to like a device that someone else doesn't especially if choice is one o the virtues of your favoured ecosystem. Calling them names because you disapprove makes you a c**t [self edited - not a fan of that word, but it's entirely apt in this situation]. Simple as that really. As does being a prissy language pedant.

1
0

antivirus vendors

remember they said antivirus not needed and their developers are selling snake oil.

Android needs even an heuristic antivirus/ application firewall. Of course, if operating system vendor calls them thieves, they won't get the necessary core functions to implement it in a practical manner.

By the way, not saying Apple way is good. Nobody really knows what kind of junk happening there.

0
6
Bronze badge

treat users as dumb sheep, give them AV

Antivirus is a lame means against the threats that exist for Android. AV is necessary when your OS is DESIGNED so it is capable to surprise a user (educated/experienced or not) with many unexpected ambushes. AV is poor substitute for the sophisticated permissions model. Even iOS (being a derivative of a *BSD system plus something else) lacks that rigour and sophistication.

For those 10 thousand smarty-pants it's been a nice lesson learned: "take your time to study what this apps is capable of doing". When you download a Windows app from the Internet, where do you examine its permissions?

And freedom is better than jail.

3
2

Browse android app store

Their permissions model, derived from j2me is not granular enough. All apps require same permissions and there's absurd levels of needless permissions asked. Users are trained to say yes. So far only white hats found and used exploits but there is no guarantee for future.

1
0
Silver badge
WTF?

Not a virus

Here's how it works...

The market page says "this app can send premium rate SMS messages, do you want to install?"

The users installed.

The TOS said "this app is going to send premium rate SMS messages, do you want to continue?"

The users continued.

The apps described here are not viruses, so anti-virus would not help, so it's not required, which is what the devs said. And since the apps are only doing what it says on the tin, I'd be wary of the lawyers if I were to call them malicious.

7
3

" I'd be wary of the lawyers if I were to call them malicious."

Well my dictionary defines malicious as " motivated by wrongful,vicious,or mischievous purposes" and since they were copying over peoples work I'd call that malicious.

1
1

Re: Not a virus

Actually, on the tin italso says "Angry Birds," and Assassin's Creed," etc., so I don't think these are by legitimate at all.

dZ.

3
1
Bronze badge

Their (as any other one) permissions model was derived from the Unix' original one.

>>is not granular enough.

Nothing is perfect, however it is much better than an AV.

>>Users are trained to say yes.

They should be trained to think, examining permissions is not a rocket (not a rootkit either) science, much lesser headache than the AV business. Do not get surprised to get hundred-dollar bills for someone's txt messages or long distance ph. calls, if you allowed some "crazy birds" game to access corresponding permissions.

>>So far only white hats found and used exploits but there is no guarantee for future.

There is a guarantee that no Windows stupidity can occur, when millions of desktops and servers get infected within days (if Google does not reinvent the RPC marvel in the future)

3
2
Boffin

AV and malicious apps

While the apps in question are indeed not viruses (they are Trojans at best; no viruses for the Android exist yet, while at least two viruses exist for - jailbroken - iPhones), the existing anti-virus programs for Android do detect malware (including Trojans) - not only viruses. In particular, some anti-virus programs detected these particular apps long before Google got wise any removed them.

So, having a good anti-virus on your phone isn't a bad idea, after all. Emphasis on "good", though. Most of those out there suck.

3
0
Anonymous Coward

I totally agree with user stupidy.

After all you check your tyres each morning for wear and damage and ensure all your lights are wokking (of course you have spare for all at hand don't you)?. You check your oil levels and tyre pressure once a week. You routinely check your battery and screen wash levels. What about the state of your brakes, or are you waiting for the little light to come on, telling you you've left ti to late?

And of course, if you don't grease the moving parts, check you spark gaps (bet you don't even know what your gap is supposed to be), change your filters (air and fuel), exhaust for leakage, belts for tightness, well then you're just being silly and should be allowed near a car until you learn this very basic things.

Ask yourself this?

How many people have been killed as a DIRECT result of failing to maintaintheir PC / Phone? Yet people drive there cars every days presuming that little warining light will work, or the tyre won't blow out at 70mph.

You see, we all take things for granted, just maybe we have our priorites a little wrong perhaps?

2
0
Bronze badge

too much ado about driving

Do not exaggerate. You do need to check the brake before driving. Usually, an attempt to stop will let you know if the brakes are OK. Before hitting the road for a long drive you might also need to check some fluids, if you do not want to get stuck in the middle of nowhere waiting for an expensive road assistance. Nothing to say about regular oil changes/checks. Nothing additional is necessary. You might have a mechanic do it for you if you want. In any case, just a little brain activity is needed.

Yet, better ride a bike! :)

1
1
Anonymous Coward

Cue the blue face paint now

FREEEEEEEEEEEEEEEEEEEEDDDOOOOOMMMMMMMMMMMMMMMMMMmmmmmmmm !!!

3
1
Silver badge
Stop

Cynical

in me says that was orchestrated by the sellers of Android security products, in an aim to prove one IS needed.

Thats how low they sink...

2
9
Anonymous Coward

Yes...

Yes, Barry, we know - there is nothing wrong with Android at all, it's perfect, totally secure, totally usable and impervious to attack. Whereas the others are all rubbish.

9
2
Silver badge
Thumb Up

AC

It's rare for an AC to speak the truth around here. Usually it's only the itards who feel the need to hide.

2
6
Bronze badge

That's because...

Itards (as you put it) are scared of android-wielding psychopaths. They're a scary bunch, you know ;-)

Would that make them iphonophobes?

Push Androids choice and open architecture then slag off anyone who chooses something not Android. That makes sense....

1
1
Big Brother

How do you tell from non-malicious?

Official EA games, like Tetris, require permissions to make a call and do SMS.

How did they tell from permissions alone?

8
3
Anonymous Coward

"Official EA games, like Tetris, require permissions to make a call and do SMS."

Errr... no... they don't.

Quick look at the permissions required for Tetris, Sims, Need For Speed, Bejeweled 2, Worms and FIFA 2010 all show no requirement for make calls or send SMS.

2
1

When EA first released it's free copy of Tetris back in August it sure as heck did.

3
1

Dude, that wasn't EA. You may want to scan for malware... Just saying.

3
0
Anonymous Coward

@sqlrob

I think we've found one of the ill fated 10,000!

0
0
Stop

Actually I can back him up on that

As I bitched about it at the time:

http://floor4.co.uk/2011/08/30/android-and-the-unexplained-permissions/

Screenshot of the permissions for TETRIS FREE on release in there.

1
0
Mushroom

It's not malicious. Hell, it's not even sneaky

Masquerading as entertainment in order to extract a buck from a stupid punter... there IS one born every minute. PT Barnum would be proud.

If the reporting is accurate:

- The apps had terms of service that were clear in what you were getting.

- The apps notified you of the services they were going to access when you installed them.

- The apps didn't do the consumer or their devices any harm and didn't do anything that they hadn't been clear that they were going to do.

The only reason to pull these apps was copyright violations of the games that the apps disguised themselves as. But taking advantage of naive and stupid customers ? That's the commercial basis for consumerism without which many more people would be out of work.

6
1
Boffin

What they need to do....

....is instead of just displaying the permissions requested by the app, allow the user to say yay or nay to each one. If App A wants to read my contacts, sms, and location, I may want to say no to all but location. If it breaks the app then so be it, I probaby didn't want it anyway.

That gives me an idea, maybe what's needed is a modified client that can provide bogus data for the apps that want access to sensitive areas, so no app breakage but no unwanted 'functionality' either...

6
0
Bronze badge

Would be more complicated and unrealistic.

0
3
Boffin

Rights

You are very right about the first part - it is a big problem that the Android security paradigm does not allow the user to choose which of the requested privileges to grant to the app. (And be later able to grant or revoke any other privileges.)

Sadly, you are wrong about the second part - it is not practical to implement this without a complete re-design of Android.

0
0

You can already do this

You can do much of this permission control either with LBE security guard (available in the marked) or by flashing a MIUI ROM. For the latest one, the superuser app controls all these permissions.

0
0
Boffin

A redesign of all the apps as well. I think it would risk introducing a lot more apps that give an unsatisfactory user experience (due to permission failures).

0
0
WTF?

Why Not??

Why is it not possible to build a firewall app?????

Is there something specific in android that prevents a zone alarm type app from working.

Very suspicious, google creates OS where you can't block access to the ad-server, it's enough to make you want to like a life of seclusion in the walled garden!

0
1
WTF?

It is possible

Just a couple of examples - Droidwall is a good firewall, adaway and adaware and two ad blockers. So, please check before spewing FUD, some attempts are too easy to unmask.

0
0
Stop

There's something wrong here

...either with the article or Android.

If the applications only asked for permission to “edit SMS or MMS, read SMS or MMS, receive SMS” how was it able to send sms? That requires the "SEND SMS" permission.

0
0

Replying to my own post it seems from the article on Sophos that the applications requested permission to send SMS, so nothing wrong with the Android permission system.

1
0

A high proportion of legitimate apps demand permissions that look very scary. If you're going to make use of the facilities of a smartphone, you have to allow apps that actually do something, and often that has the potential to cost money or compromise privacy. I do look carefully at permissions, and reviews, but often it's far from obvious why certain permissions are required. So far I haven't been stung, but after the first app that I download that picks my pocket, I will very seriously consider ditching my Android for an iPhone. And a lot of others will do likewise.

As for the people who think that being crooked is just legitimate business, they will squeal loud enough when they meet someone cleverer than they are who thinks the same thing.

1
3
Silver badge

ipad pick a pocket

When you get your pocket picked for £1300 by a free child's ipad game, you can come right back to the light side.

http://community.phones4u.co.uk/school-boy-error-seven-year-old-racks-up-1300-bill-with-ipad-app/

4
3
WTF?

Seriously? The "Tap Zoo" thing?

FYI: the same apps are also available for... Android.

In the Android Market.

That "problem" you've reported boils down to illiteracy on the part of the parent. To quote the second offing line in the Apple App Store description:

"PLEASE NOTE: this game lets you purchase items within the game for real money. Please disable in-app-purchases on your device if you do not want this feature to be accessible."

This is following the typical "freemium" app model made popular by Facebook. You'll find many apps on that platform also offer this "feature".

This is hardly in the same league as *pirating* someone else's game and *injecting it with malicious code*, then *selling* your malware as if it were the original game, is it?

Yes, the malware does request SMS access permissions, but most users have long since been trained to just click through these. (Especially on Android, where the permissions system comes across like the old Windows Vista implementation of its "User Access Control" feature. You'd think Google would have learned from that, but clearly not.)

As for the point that the game does state that it could charge upwards of $4.50 for SMS messages, perhaps someone could point out exactly *where* this was stated. Was it at the bottom of a 5000-word EULA full of legalese and deliberate obfuscation, perhaps?

Users are not "stupid". Many will be ignorant—nobody can possibly know everything there is to know about every subject today—and that should be your *basic assumption* about your end users. Most people not only do not know how computers work, but they really could not care less. How many of you know how the railway tunnels your metro trains run through were built? How many of you know whether the trains use two-phase or three-phase electricity? No? And yet you'll happily use that technology without giving it a second thought.

Until the IT industry grows the fuck up and realises that its problems are its own damned fault, we will constantly repeat history.

Curation is not inherently wrong or evil. All museums are curated, as are all galleries, libraries, gated communities, apartment blocks with concierges, hotels, and more. Go ahead: try shoplifting in a shopping mall and see how far you get before the mall's own security services catch you. That's curation, that is. In real life. And nobody seems to mind.

The bazaar, so beloved of "Free Software" advocates, is also beloved of petty criminals, shysters, conmen and more. Now, I could spend my shopping hours being very carefully paranoid, wasting my time haggling over the price of goods and taking forever to get anything useful done. Personally, I'd rather not go through all that. I like convenience and curated shopping environments—be they real or virtual—suit me far better.

I fully appreciate that there are many who do enjoy that bazaar approach. I just don't happen to be one of them. And neither do Apple's customers.

The thing is: *I'm* not the one constantly shouting from the rooftops that every shopping mall and high street be turned into a bazaar. Zealots like you and others here, on the other hand, are. And it's getting fucking old.

4
4

Page:

This topic is closed for new posts.