Feeds

back to article BadNews, fandroids: MILLIONS of Google Play downloads riddled with malware

At least two million Google Play downloads gave Android users an unwanted freebie in the form of BadNews, a piece of malware which masqueraded as a legitimate advertising network. The malware was integrated into 32 different apps in the Google Store, according to mobile security specialist Lookout. Those apps have been …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by a moderator

This post has been deleted by a moderator

Stu
Devil

Android permissions design

Always seemed to me the whole Android permissions system is very under-granularised.

"Read Phone Status and Identity" presents the app with info such as whether somebody is on a call, but also their complete phone number and IMEI number. Combined with Internet Access permission, allows complete silent transmission of your phone number and name to black market phone number lists.

"Make phone calls" An app can legitimately call a number for you. On the other hand it can do it without your permission to a premium rate number, completely automatically, say at 3am.

"Read contact data" allows an app to show you your contacts for something within the app legitimately, or just allows more black market sellable names and phone numbers.

The list goes on and on.

If I was a really suspicious person I might think Google made them this under-granular on purpose. More and more apps are doing the whole "Read phone status & ID" thing by default now.

27
0
Silver badge

Re: Android permissions design

I agree. Best way to control the 'make phone calls' permission might be to pop a user prompt before every short-code SMS or non geographic number unless a specific permission is given in advance.

I'm safe because I use PAYG - as soon as I top up 15 quid on Three I buy their 500min, 5000 text, AYCE data bundle, which uses the whole amount. The phone will then not make any calls to non-geo numbers, or send premium texts because "your account balance is too low" .

But the telcos could help here by letting you set contractual terms such as requiring additional confirmation to control cost incurred, number of premium SMS that can be sent or number of mins of premium calls that can be made per month.

4
0
Ru
Silver badge

Re: Android permissions design

I've always been disappointed that you can't drop demanding applications in a sort of sandbox... as it stands, when I see an application that has unreasonable demands given its purpose, all I can do is simply opt not to install it and find an alternative.

I'd much rather put it in a nice padded room where it can be convinced that it really is reading my contacts list and erasing files from my operating system and perhaps most importantly feel that it really is sending premium rate text messages when in fact not one of these operations has a single side effect.

It isn't much of a safety net, but it would help make the current android permissions system slightly less worthless.

20
0
Bronze badge

Re: Android permissions design

Look on the bright side - at least you can actually set the permissions. Can you do that in iOS? Oh yes, and you can't do that in WP8 either.

8
9
Stu

Re: Android permissions design

Well isn't that just because Apple stop people from being able to fully utilise YOUR device that apps aren't allowed to access phone numbers, IMEI numbers, contact info, etc?

I don't remember ever seeing an iPhone app being able to dial numbers for you, but then I haven't owned an iPhone in years.

6
1
Silver badge

Re: Android permissions design

There are a whole series of basic things that could be done to sort out security...

- Instead of allowing apps to call a number directly, Android should bring up the dialler and pre-fill the number but let the user call or cancel.

- Instead of allowing apps to send messages, Android should bring up the message editor and fill it in (read only if need be if it's got data which can't be edited), but let the user send or cancel.

- Instead of allowing apps to read contact data, Android should bring up the contacts manager and allow the user to choose one or cancel.

- Pop up a modal dialog with a 'remember the answer to this question' tickbox if an app wants to request the IMEI or similar data.

Simple things like this where the OS is in the middle preventing the app getting at the data would also mean that a whole load of permissions for legit apps could be knocked on the head and it'd be much easier to spot malware because it'd still ask for everything.

Also the play store needs to clearly show how the developer earns money from the app: open source, free, pay once, in-app purchases, ad-supported, combination, etc...

If Google haven't done them by now they're probably not going to get round to doing them in the future either.

20
1
Bronze badge

Re: Android permissions design

I think there are apps that will do this (restrict permissions for other apps) - although I've not actually encountered one that would cause me to need something like that. The "opt not to install it and find an alternative" method works well enough.

2
0
Gold badge

Re: Android permissions design

Windows Phone lets you set permissions. The app store has a little blurb on each app saying what permissions it wants (next to a link to an explanation of what those permissions are). They're no more granular than Android ones from memory.

Apps then have to ask for permission to do certain stuff when you launch them, like phone home with data or use location services.

As I recall iOS only has pop-ups for allowing access to your addressbook and location services. Although it may also have the same for accessing the phone function, I don't recall ever using an app that required this.

1
4
Bronze badge

Re: Android permissions design

@I ain't Spartacus: As far as I know, the only thing WP8 "apps" ask about is use of locations. Everything else I have tried (and I've just tried installing Facebook "app" just for the sake of it) is merely information basis. Information, that's hardly satisfying. And even after I download the "app", there is no way to change the permissions as far as I know.

As far as iOS goes, I was really guessing. It was a question after all.

4
0
Gold badge

Re: Android permissions design

Aoyagi Aichou,

Unless Android has changed recently, then it and WinPho are very similar. Both list the permissions required at the bottom of the app's description page on Play Store or Marketplace. You then install them. Unless you root Android you don't get to pick and mix with permissions either.

iOS allows a bit less leeway for apps. But leaves the user a lot more in the dark as to what's going on.

4
0

Re: Android permissions design

Aoyagi Aichou,

iOS let's you block (or allow) apps access to location services (GPS), contacts, calendars, reminders, photos, Bluetooth sharing and Twitter/Facebook. There's no permission for calls or SMS as I believe those just aren't allowed at all.

While it's de rigueur to criticise iOS around here, I think the permissions model is actually pretty good.

10
0
Bronze badge
Unhappy

Re: Android permissions design

Ah, thanks for enlightening me. I admit I merely heard that Android has some proper rights management, but I guess those were all rooted. Oh well, then there is probably no modern smartphone I would like...and what's worse, I'm a tiny minority.

1
0
Anonymous Coward

Old news

But so true, fcuk Android developers for fcukng up Android.... It was good while it lasted.

0
0
Silver badge
Linux

Re: Android permissions design

> - Instead of allowing apps to send messages,

You cripple the device so it can't do much of anything.

That's the real problem with modern security issues. Everything is about trojans placed in software that's supposed to be legitimate but really isn't. A lot of this is driven by various forms of the cheapskate mentality that prevents both Free Software and Shareware from flourishing.

You might want to send messages.

Although ultimately end users should be able to revoke any permission after installation. We should never be in a position to be held hostage to developers that want the moon and the stars in terms of system permissions.

I should be able to do something like I do with noscript. ANY app is banned from sending text messages unless I say otherwise. Doesn't matter what it asked for during installation.

7
0
Bronze badge

Re: Android permissions design

That is why you shouldn't install them. Interesting to hear this critique of Google for not implementing some extension of their permission API. It might be fair, however, Google had done this, while MS had failed to generate any idea in this area for over 20 years.

0
0
Bronze badge

Re: Android permissions design

@JEDIDIAH: "I should be able to do something like I do with noscript. ANY app is banned from sending text messages unless I say otherwise. Doesn't matter what it asked for during installation"

The problem with that is, whilst it sounds great in theory, it just doesn't work in practice. It means app developers have to test every single possible combination of permissions and work out how to alter functionality appropriately depending upon what random subset of permissions they are granted. The really good developers might be able to do this, but it costs a lot in testing and development time and most people will never bother about it. Meanwhile the other developers will simply let their app crash in every case where the permissions are altered (or in the malware case just pester the user to re-enable the permission until they do so).

It's much better to encourage users not to install apps that have overly demanding permission requirements, because that encourages developers to reduce the requests to the minimum possible. There is, perhaps, scope for allowing a developer to specify a subset of "optional" permissions that are only necessary to support some extra functionality, but since the only devs that would use that are in the "good guys" category, it's debatable whether the added complexity for end users is really worth the effort,

2
0

Re: Android permissions design

"I think there are apps that will do this (restrict permissions for other apps) - although I've not actually encountered one that would cause me to need something like that. The "opt not to install it and find an alternative" method works well enough."

Lbe security master or pdroid let you select which permissions an app is allowed to access. They actually work a bit better than cyanogens block permission function or the permission denied app which usually result in a crash when an app tries to access a blocked permission (as the dev never bothered error checking for this, just assuming all permissions asked for would be available). Lbe and Pdroid can feed apps junk data as well as block outright. For example,they can feed apps randomly generated contact numbers or gps coordinates evertime they run, making any data they harvest absolutely useless. I use Lbe to restrict most permissions and avasts firewall to stop internet access. Combined with adaway to block all ad networks via the hosts file I think im quite safe from anything snooping or sending sneaky texts.

I dont think i have ever seen an advert on my handset using the above combo. Tidy...

2
0

Re: Android permissions design

This post on mse forum says different...

http://forums.moneysavingexpert.com/showthread.php?t=4563409

0
0

Re: Android permissions design

"This post on mse forum says different...

http://forums.moneysavingexpert.com/showthread.php?t=4563409"

I notice Apple still havnt taken it down, despite the complaints and the fact all the top reviews state its laced with malware.

Just goes to show that no os is really immune to user installed malware.

Putting ads that dial premium rate numbers in a kids app is a stroke of genius on the app writers part though, I imagine he/she has made a lot of dosh from idiot parents not checking things before giving their brat the phone since it was added.

0
0
Silver badge
FAIL

Re: Old news

Because not only does Android warn you that applications want to send SMS on install (protection 1), all applications are sandboxed from each other (protection 2), Android also disallows untrusted non-Google Play installs by default -so no other nasties can be silently slipped in (protection 3), each app has it's own user account (protection 4), and finally, you can't send SMS to a unknown number without getting a warning (protection 5)

http://img21.imageshack.us/img21/7624/screenshot2013042312200.png

So unless you intentionally disable all the above, this story it total and utter nonsense..

0
0
Silver badge
Trollface

A Linux based OS with malware?

Where's Eadon when you need him?

7
11

Re: A Linux based OS with malware?

gaah, i don't wont to hear a whooosh but as I read it the malware wasn't in the app itself. I simply provides an advertising window within the app. Now this advertising window will then point at a nasty piece of code that the user will have to click on and install (assuming that they have third party package install allowed).

Not really anything to do with Linux.... ;)

12
2
Bronze badge

Re: A Linux based OS with malware?

As Eadon has pointed out on numerous occasions, viruses != malware.

Any system can be infected with malware, for reasons located between the chair and the keyboard.

Whether or not Linux is as impenetrable as some would claim... well, I have yet to be convinced. The only totally secure system is one that has no external access at all - anything else can be broken into with enough time and effort.

7
1
Anonymous Coward

Re: A Linux based OS with malware?

But Linux doesn't need any malware protection, Eadon keeps saying it's indestructible and only WINDOZE needs A/V

FAIL!

6
9
Silver badge

Re: Not really anything to do with Linux....?

Hmm, and by extending that argument a lot of windows malware is nothing to do with windows. Hey, it's not my fault you run as admin all the time....

It sounds like what you really meant was "la la la, can't hear you!!!"

7
1
FAIL

Re: Not really anything to do with Linux....?

well a lot of it isn't. If a box pops up and asks if you want to install dodgy-package.msi and you click yes then it has nothing to do with Windows and more to do with the user.

Historically windows had so many infection vectors that could be exploited without any user interaction however that is, I believe, largely a thing of the past.

I have not said nor inferred otherwise so perhaps you perhaps you could actually think about what your saying before you hit the submit button in future?

2
0
FAIL

Re: Not really anything to do with Linux....?

@NinjasFTW: implied, not inferred.

0
0
Happy

Any system can be infected with malware, for reasons located between the chair and the keyboard.

So as long as I stand up i should be OK

0
0

Come on El Reg

Don't install software that looks dodgy? What kind of useless advisory is that? Install some security software. Well, yes, Quite. However, most malware is walking straight past.

Android is a whole heap of fun, but its not a place to do business or put personal stuff aboard - but hey, everyone is doing it right!

Android aside, the security landscape is pretty horrible and growing worse. I think most people and orgs are in the state of 'overwhelmed' and its being taken advantage of all across the board. Not fun...

5
10
Thumb Down

Re: Come on El Reg

Android is a whole heap of fun, but its not a place to do business or put personal stuff aboard - but hey, everyone is doing it right!

There is all kinds of wrong with that statement. If you don't install random packages from dodgy warez sites and keep any sensitive details encrypted then you will be as safe as you ever can be with anything online.

If you want to have it made a little easier for you then you can go the walled garden Apple approach. If you want some flexibility/customization/usefulness then you go for Android.

6
4
Anonymous Coward

Re: Come on El Reg

"Android is a whole heap of fun, but its not a place to do business or put personal stuff aboard..."

Then what's it for? Just for carrying around, to show that you can't afford an iPhone?

8
10
Anonymous Coward

Re: Come on El Reg

"If you want some flexibility/customization/usefulness then you go for Android."

Overreach.

Replace "some" with "greater" then yes to the first two, but then you were hoping to sneak an extra point on the end there there which demonstrates more than a soupçon of partisanship. You would be hard pressed to identify a single "useful" activity you can do on an Android phone you can't do on an iPhone that isn't some marginal edge case related to doing things exactly how you want to do them as a techie and that isn't if wholly marginal relevance to the average user.

Unless oif course you are talking about anti-malware apps, which really do have something useful to do on an Android phone.

6
5
Flame

Re: Come on El Reg

"Then what's it for? Just for carrying around, to show that you can't afford an iPhone?"

But why would I WANT an iPhone? To only show that I simply MUST follow a trend, to show that in order to be 'accepted' I will be judged by a DEVICE that I use? To use a locked-up, walled-off, nanny-stated interface to the real world, where Big Brother Corporation has the nerve to tell me what I can and cannot do with my own device? To have to go to the effort of "jailbreaking" my own, personal device - when jailbreaking is even available, as every time Big Brother Corporation does a firmware update they strengthen their hold on your personal thoughts by intentionally nullifying the jailbreak options you have applied - just to get around BBC's thoughthold on me?

If I want to watch porn on my device that is MY choice, not theirs. If they have a problem with an adult making adult choices for themselves, sell and market the device only to children and have the parents sign a permission form that gives Apple ("BBC") the right to censor the device content for "the good of the child". IN THE MEANTIME, I simply refuse to revoke my own freedom of will to a company simply to own their petty little device so as to feel like I belong with the REST of the blind sheep who have all *already* forfeited a portion of their adult choice simply to own said petty little device.

The free market is a form of willful, voluntary voting. Apparently, a large number of people throughout the world have voted for the idea that "Yes, we are willing to give up certain self-evident adult decision processes for the advantage of paying you to own your product". And then, a lot of these same people bitch and moan when they even *think* that the government may be considering the exact same thing.

What does this tell you? Sheep stupidity for profit = 'OK by me! Sign me up, the bauble is worth more than the absolute ability to exercise the choice of free will!" Remove bauble from benefit vs cost ration = "No! Never! I will never give up my rights and free will!"

Loki from The Avengers (Avengers Assemble!) had it right - humans ARE sheep looking to be blindly led.

1
9
Silver badge

Re: Come on El Reg

Two clocks on the home and lock screen.

0
0
Stop

Re: Come on El Reg

Your limited viewpoint is only due to you believing that, personally, you have the power to decide the definition of "useful activity".

That is not your definition to decide. That definition is for each individual user to decide, and since Apple has a LARGE number of things that they will not allow to happen on an iPhone, for example

http://www.zdnet.com/blog/burnette/apples-new-iphone-restrictions-and-the-5-stages-of-grief/1904

your reply is a complete and utter FAIL.

0
2
Bronze badge

Re: Come on El Reg

"Your limited viewpoint is only due to you believing that, personally, you have the power to decide the definition of "useful activity"."

Er, yes I'm accustomed to speaking from my own viewpoint, as at one level or other everyone who has said anything ever in the history of the human race does the same. None of us are God.

And if I don't have the power to decide what constitutes "useful activity" from my own viewpoint, then I'm certain you don't. So I suggest rather than the sociopathic attempt to control my thoughts and language, you focus more on giving a clear reply on your own terms.

I note you didn't actually attempt to answer the question I raised. I suspect because you know the answer will sound as weak as your current reply and thereby illustrate even more clearly the point I raised.

0
0
Bronze badge
Mushroom

Unacceptable for this to happen clearly....but has anybody looked at the apps that are infected with this? The BBC named a few and its just complete trash. Confused at how stupid some people could be.

8
0
Meh

You have to admire the cheek of them naming their

fake advertising network BadNews.

0
2
Anonymous Coward

They didn't

That's just the name that the anti-malware firm that spotted it has assigned to the family.

1
0
Coat

Re: They didn't

Ah right. As you were then.

1
0
Silver badge
Flame

Don't need to download dodgy apps

Wifes WildfireS came preloaded with a Facebook app, which you can't remove, nor stop running (she hasn't got a Facebook account).

When you try and access settings, it lists all the permissions it has "Access my call data", "Access my contacts" etc etc (pretty much all from what I can see) with no option to deselect them.

5
0
Silver badge
Paris Hilton

Re: Don't need to download dodgy apps

The same applied to my now bricked (when I tried to put cyanogen on it) HTC Sensation.

I guess there is some form of 'Communication Breakdown' ?

Paris because when she cries 'the levee breaks'

(yes I am old enough to have seen LZ. The last time was at Ally Pally.)

0
0
Bronze badge
Alert

Re: Don't need to download dodgy apps

Ridiculous. My next device will be a nexus, cant be arsed with all the preloaded crap they throw at you. My Samsung SIII updated the other day to find the Facebook app installed again after i had removed it! So angry.

1
0

Re: Don't need to download dodgy apps

Not sure which version of Android it was introduced in, but you can "disable" pre-installed apps. It's in the app manager where you'd normally un-install 3rd party apps.

1
0
Happy

Re: Don't need to download dodgy apps

I guess there is some form of 'Communication Breakdown' ?

Were you not Dazed and Confused also? ;)

2
0
Silver badge
Unhappy

@Andy

Not on that phone, you can't :(

Anyway - why "disable" ? She doesn't want the bloody thing at all - especially as it sits there taking up precious storage space on the phone (*not* the SD card).

0
0
Silver badge
Devil

Re: Don't need to download dodgy apps

Not available on all apps though. Oddly enough one app it's not available on is the backup service which uploads your app data as soon as you log into a Google account.

0
0

Page:

This topic is closed for new posts.