Feeds

back to article Report: Android malware up 614% as smartphone scams go industrial

While the mobile industry is still deciding if there's a market for two, three, or four smartphone operating systems, mobile malware writers have picked their target and are flocking to Android, according to the latest annual security report data from Juniper Networks. The company's Mobile Threat Center has analyzed nearly two …

COMMENTS

This topic is closed for new posts.

Page:

High larious

Have fun with that.

3
15
Anonymous Coward

Re: High larious

It is not often I can sit and feel so smug and self satisfied with the choice I made when I bought my iPhone.

Cheers!

2
15
Anonymous Coward

Re: High larious

It's like buying a car without seatbelts, you will be fine if you don't crash into anyone. What it cannot prevent is being crashed into by someone else.

Any other product would be recalled or fixed.

I wonder whether android was developed to boost income for the likes of Kaspersky, Trend Micro etc...

Just a thought.

0
15
Anonymous Coward

Re: High larious

It is not often I can sit and feel so smug and self satisfied with the choice I made when I bought my Windows Phone.

Cheers!

3
9
Anonymous Coward

Re: High larious

"Part of this 614 per cent rise comes from the cratering state of Symbian, BlackBerry, and Windows Phone sales"

Actually, Windows Phone is growing market share way faster than any other mobile OS. Up to nearly 9% in the UK now...

1
3
Anonymous Coward

Re: High larious

"Actually, Windows Phone is growing market share way faster than any other mobile OS. Up to nearly 9% in the UK now"

Apart from that stat not being reliable I point you to this bit of wisdom ->

http://xkcd.com/1102/

2
0
Anonymous Coward

Re: High larious

Obviously a bit of a lack of reading comprehension going on here - along with a bit of scaremongering.

So to put into layman's terms the problem:

* If you choose to turn off the default security option to allow you to sideload apps

* and you choose to not load all your apps through the Google Play store

* and you choose to seek out apps that are pirated from an unknown site

* and you download an app from that site and go to install it

* and you don't have a free AV solution that detects it

* and it also passes Google's built in scan on later versions of android

* and you then read through the permission under the heading which is emphasised telling you that this app can cost you money and can send texts and make phone calls (bit unusual for a wallpaper, no?)

* and you then continue the install

* and you keep the app on your phone after you realise it is not the one you were expecting or is rubbish

then you are at risk from the malware mentioned in this report.

As you will see the problem is not quite as bad as it sounds.

If you think Google should not let you sideload apps and force you to use only the Play Store, then don't untick the box disallowing the loading of apps from non-Google Play store sources. If you really, just can't stop yourself unticking that box and you require the intervention of Google to make sure you don't untick it, then you have greater issues than malware.

And, you know, the people who go searching for pirated and cracked apps are also more liekly to be the ones who would jailbreak their iPhone so that they can load on pirated apps and encounter the same issues.

15
2
FAIL

Insert Android malware FUD ..

You're getting tedious ... why isn't this known as mobile malware as you do seem to choke on the word when it's that other platform?

"the traditional players in the PC malware industry were simply applying their methods to the mobile market"

Yep, it's PC malware when it's on the Windows platform ..

"Android's fragmentation was a point Tim Cook was keen to make earlier this month at WWDC"

For f**ksake, wouldn't fragmentation make it harder for the malware writers, same as fragmentation is negatively affecting the handset manufacturers?

--

'The [Tascudap] Trojan may arrive as a package with the following characteristics:

Package name: com.google.themes.provider`

6
8
Anonymous Coward

Re: Insert Android malware FUD ..

I really shouldn't feed this but ...

"Yep, it's PC malware when it's on the Windows platform .."

That is because, rightly or wrongly, PC is shorthand for 'Consumer oriented Intel based machine running Windows'. No one calls a 'Mac' a 'PC' and no one (with any dignity) calls their Linux box a 'PC' either.

On fragmentation - fragmentation makes it easier to deploy malware because not everyone is running the latest and greatest version of the OS and people on older, less-capable versions are those most likely to end up at a dodgy app store offering cheap/free apps.

2
6
Silver badge
Pirate

Re: Linux

Um, OK, I'll bite. What, then, do you call a PC^H^HIntel computer running Linux? Personally, I've never thought about it, and just call them PCs.

GJC

3
0
Anonymous Coward

Re: Linux

At my place we have:

Linux box

Linux VM

Windows box, sometimes "The workstation"

Windows VM

Mac laptop

I can't think of the last time that I called anything a PC

0
0
Silver badge
Trollface

oops

Guess that choice of using java even with a different not quite as crappy virtual machine implementation in retrospect wasn't the way to go.

2
15
Anonymous Coward

Re: oops

Does this mean that Android phones should come with a printed warning in the packaging like a pack of cigarettes?

'Warning use of this produce may lead to frustration, anger and monetary loss'.

0
8
Anonymous Coward

Re: oops

Guess that choice of using Linux in retrospect wasn't the way to go. It's like Swiss Cheese...

0
5
Silver badge

Re: oops

The Linux kernel itself has had a hell of lot less critical CVE lately for it than the POS Sunoracle joke JVM crap implementation. As for Dalvik I think its considerably less. Still I should have figured I was going to get down voted hard by all the butt hurt java developers who still think one of Java SE strengths is its security. Unbreakable my ass.

0
0
Bronze badge

i.e. consumers are morons

My Android phone arrived with malware pre-installed. So did the Win8 machines I hooked up the other day. And that's just what the manufacturers and carriers install. ALL the app stores are full of sketchy stuff. Almost as bad as warez sites. If you don't know what you're doing you're screwed no matter what.

5
0
Silver badge
Boffin

Get some security!

If you are running Android and you aren't using Lookout or Avast or something similar, you are nuts.

1
13
Anonymous Coward

Re: Get some security!

Exactly what part of your message justify the use of the "May contain highly technical content requiring degree-level education or above" icon?

8
0

If your phone is open anyone can get in

I own a Nexus 4 because many aspects of Android make me more productive, but the app situation is a nightmare. I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever. Assuming it was in a padded case with a screen protector and someone was popping in every now again, I'd be very comfortable giving an iPad to a four year-old.

This is why I scream whenever people suggest that iOS gets the ability to switch default browser or mail client or keybord or whatever-it's a nice idea but Apple have all but said they can't find a way to make it work with acceptable security given their status as a mass-market company selling products to people who are a menace to themselves.

1
6
FAIL

Re: Get some security!

Don't be a dick.

Quite clearly if you use the Google Play store, you are safe. If you go shopping on Russian and Chinese "side-load" stores, then THAT'S when you are opening yourself to malware.

Guess what. If you jailbreak your iPhone and go shopping in similar iPhone warez sites, you get the same problems......

20
3
Silver badge
Facepalm

Re: Get some security!

How is it "being a dick" to recommend people use free security software on their Android devices? Are you opposed to scanning new apps for malware? Are you opposed to being able to locate your device or wipe it remotely if you lose it or have it stolen?

It's free, at least if you use Avast or Lookout, and I haven't seen a performance hit with either of them. Seems like I'm not the one being the dick here.

3
3
Bronze badge

@Mending

I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever.

Come on, one doesn't need a very high IQ nor a PhD to make sure

1) not to install outside of official Google Play

and, more importantly, use Android's own wall of defense by checking every time before installation that

2) app cannot place phone calls, nor send text messages, nor may cost you money.

9
0
Anonymous Coward

Re: Get some security!

How do you know the free AV or security software doesn't have a backdoor in it?

3
2
Anonymous Coward

@Mending

'I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever.'

You've hit the nail on the head,

1. Android users really don't have a decent understanding of how computers and viruses work, hence the infections.

2. Apple users don't need to, because it just works.

3. Win phone users live in hope.

4. Blackberry users are easily conned.

0
7
Anonymous Coward

Re: @Mending

And the other lines of defense. My Nexus4 offers to scan apps as soon as I try and sideload an app for the first time...

Seems this is the usual Android FUD financed by a company trying to sell snakeoil solutions. I vote with my wallet, and any security vendor playing FUD games is as bad as virus writers themselves.

Kaspersky Labs, looking at you. I won't be renewing, and I won't be recommending anymore either, due to your dodgy games.

3
0

This post has been deleted by its author

Anonymous Coward

Re: If your phone is open anyone can get in

"... I'd be very comfortable giving an iPad to a four year-old."

To use real-world examples. I have never heard of anyone I know getting malware on an Android device.

I do personally know of two people whose children managed to run up very large in-app purchase bills on an iPad, in one playing session.

An app that sends a premium-rate text is a scam. An app that allows you to run up a bill of hundreds buying virtual gems or other such stuff, even in games targeted directly at kids is also, imho, a scam.

5
0
Silver badge

Re: If your phone is open anyone can get in re: Apple

My mum's iPad was doing some very strange things (redirecting away from certain websites, refusing to update various things, chewing bandwidth etc). Eventually, I took her to the local Apple store where the assistant had a play with it for a while, and said "Well, I don't know what's wrong with it. Some programs seem to be corrupted, and others have had settings changed. I don't know what to do other than a factory reset." I pointed out that, if we were talking about Android or Windows, he'd be describing the likely results of a malware infection of some type, and (tongue strictly in cheek), wasn't there something like an antivirus or AdAware for Apple. I was rewarded with a look similar to what I would have received if I'd suggested that his father has carnal relations with camels whilst wearing unstylish clothes bearing the logo "I love Ballmer". "iOS does not have malware of any type!", he snapped, then proceeded to do a factory reset without asking whether there was anything that mum wanted to backup, losing quite a lot of photos she had saved, the spiteful twat.

TL:DR: I'm far from convinced by this notion that there isn't something that infects at least some of Apple's machinery, but no-one wants to admit it.

4
0
Silver badge

Re: Get some security!

"How do you know the free AV or security software doesn't have a backdoor in it?"

How do you know that Angry Birds or the latest Fart app doesn't have a backdoor in it? At least we know that security apps generally receive SOME level of community scrutiny.

1
0

The Gingerbread 2.3 Android build is still the most used mobile OS and it lacks crucial protections.

Maybe because of crap supplier updates? It seems that most Huawei G300 users who've tried to install the Vodafone "upgrade" to ICS have found that it's totally buggered up their devices, so they've reverted (when they could).

I don't know the Android ecosystem well enough to know if this is typical, but it's certainly why my device is still on Gingerbread. And even though it's a cheap device, I'm not confident enough to risk any of the (probably very good) third-party ROMs.

4
0

I blame Google

Google Play is a joke. I realise checking apps is difficult but Google chose to set themselves up in business on this. Their Europe headquarters is in Dublin-if they offered jobs sifting through all the scamware at £6 an hour they'd have a queue of takers a hundred yards long. Not good enough. I own an Android phone and an iPad, but I barely have any apps on my phone besides repackaging of a couple of web services I trust.

The other problem is the level of scamware that needs to see my location, calendar, contacts list and the like. I appreciate that Google tells people about this when they select apps to install but that seems more like a copout-the options settings on my Nexus 4 for restricting what apps can look at are barely existent. It's like Google aren't just running a spyware company, they're enabling scamware all round.

3
11
Bronze badge
Holmes

Re: I blame Google

I used to think the google was kind of innocent (or naive) and didn't deserve so much blame. However, these days I'm convinced they've gone EVIL (including the lobbying).

Having said that, the most obvious improvement to the store would be a 'financial model' tab. Google doesn't have to certify the information there, but they should give legitimate developers the option to prove their honesty. Fakers and scammers would still be there, but just the lack of proof would be powerful. Essentially the more the developer is willing to say about his financial model, and the more proof, then the more likely that is a safe app.

Let me try to to make it clear with an example. The developer's comment on the 'financial model' tab might say "This app is funded by advertising." Below that, there would be a section for google's comment, which might be "We have in fact paid significant advertising revenue to this developer" or "We have not paid any money to this developer over the last year." If you are comparing two apps, and one says "I earned $15,000 from this app" and the google confirms it, while another app has no such information, then you should regard the first app as much safer.

0
6
Silver badge

Re: I blame Google

The author made the point that Google Play is ok. Its installing software from elsewhere that is a problem. Its the same problem on all phones, but Google are more inclined to allow you to do as you like.

For me, Google has two advantages - sync'ed email & contacts for desktop, mobile and web; and "download & save" for media. I can point it at port 80 on my home desktop/server and pull down a new ebook or mp3 without going to the study, connecting a USB cable, waiting for itunes to start (and sync), closing down iphoto. Searching for the downloaded file (assuming its been added to itunes) adding it to the sync list, click sync, wait for it to rummage through its database of stuff to do... Its just too hard and too slow.

I could also run up IMAP against a sync directory and sync to email, but that's just getting silly ;)

Maybe its just the old iphone I'm using, but my old work-provided galaxy S was far superior.

7
0

This post has been deleted by its author

Anonymous Coward

So who paid Juniper for this "research"?

Microsoft or Apple...

As quite clearly it's utter tripe. Hidden in the body is a subtle admission that this doesn't really affect 99.99999% of consumers who use the Google Play store....

13
3
Bronze badge

Re: So who paid Juniper for this "research"?

Really...

Ok, let's look at it this way - why would there be as much effort as there is putting up other (less than reputable) stores and so much malware. People want apps as cheap as possible and will Google around (oh the irony) to find them. Being the most prevalent platform, with high levels of fragmentation and a broadly open architecture does make you a target - it's not just old vulnerabilities that made Windows a target you know.

It's good old supply and demand - not a tricky concept, dear boy....

0
9
Black Helicopters

Re: So who paid Juniper for this "research"?

Nobody needed to pay them - like most companies that have made similar announcements they conveniently just happen to have their own Android anti-malware solution for you to download. In this case it's called Junos Pulse and isn't going to gain momentum with its very poor reviews on Google Play unless they push it down our throats.

4
0
Bronze badge
Facepalm

The article says:

"Apple does a really good job with checking apps," Michael Callahan, vice president of global security at Juniper told The Register. "Google does a good job with the Play store as well, but there are hundreds of third-party Android apps stores. They're enticing because you think 'I can get this app for free' and they don’t realize it's malware."

Why the hell do people think Google should be doing more to help combat malware for apps installed OUTSIDE of Google Play? You already have to specifically enable the option which is disabled by default, and there is on later versions of Android basic malware checking. Google should only be concerned with apps from the app store that they operate.

18
1

@Andrew Jones 2: "Why the hell do people think Google should be doing more to help combat malware for apps installed OUTSIDE of Google Play?"

For exactly the same reason people have spent decades chastising Microsoft for malware that appears on Windows, regardless of where it came from.

1
8

@El Andy

Those are two discrete problems with the same name. Windows malware tends to be installed without the user's knowledge and is then allowed access to look at all the user's data.

Android malware on the other hand warn the user that it'll look at your contacts, send SMS messages, make phone calls etc. The sand boxing means that one app isn't allowed to access another app's data (unless the data is stored on the SD), and certainly isn't allowed to modify other executables.

Have you seen the removal instructions for Android malware? "Go to Settings, Apps. Select app. Click remove". If there is a *real* security issue where an app that runs with elevated privileges, then I'll be pretty bloody annoyed.

Somebody used a seat belt analogy, mine has a light and an alarm if there's weight on the seat and the belt is plugged in - it's bloody annoying when I've shopping on the seat. However, it's up to me to make an educated guess on whether to heed that warning or not.

My major problem with android? Textareas are still buggy after so many years and sometimes online images aren't down in the stock email client.

6
0
Mushroom

Seems Google is now experiencing a little bit of a Microsoft moment.

Having said that though you really have to admire how thorough the malware writers are on Android. You can find malware packaged into just about every single type of application.

Friend of mine had his phone compromised after installing an SSH client if I recall correctly.

It's not just your usual free games and whatever other equivalent there is to free mouse pointers and screen savers on Windows. Plus some of the malware actually make use of zero day exploits in order to circumvent security prompts and the like.

This is really the price to pay though once your operating system becomes popular. Apple gets away with it for most part thanks to their ludicrous app screening process.

3
6

So a bunch of sites for pirated applications had a large amount of malware-infested apks uploaded to them. Are people actually downloading them? They get what they deserve, especially since Android tells you that an application has permissions to send SMS under a large heading that says "services that cost you money."

The article states "Apple users will typically only go to the official store for apps." I'd imagine this is true for Android users as well. Do the same researchers go to pirate websites to determine the state of Windows malware?

12
1

@doctor dodongo: " Do the same researchers go to pirate websites to determine the state of Windows malware?"

Given that such websites are one of, if not the, primary vectors for delivering Windows malware, I would assume they do.

As to the permissions thing, yes people download them and don't bother reading or ever attempting to understand what permissions they're granting apps. This has been known for decades and should be no surprise to anyone. It's why allowing apps to basically do whatever the heck they like as long as they can persuade a user to click-through some boring permissions screen is a fundamentally poor design for a Smartphone OS, given the abundance of obvious revenue streams for malware (premium rate phone calls/SMS, contact harvesting, built in payment mechanisms etc.)

0
2
Bronze badge

@EL Andy

It's why allowing apps to basically do whatever the heck they like as long as they can persuade a user to click-through some boring permissions screen is a fundamentally poor design for a Smartphone OS

Wow, how then you'd characterize the design of Windows OS, where

1) an app is not put in any sandbox, i.e., in the isolated environment, unless the developer wants it

2) noway to see what an app can do before installing the binary

3) no secure repos, like in the Linux and *BSD world.

Let's forget the multiuser implementation of XP, where you had to be an admin to run many userland apps.

5
0
Thumb Down

>> They get what they deserve, especially since Android tells you that an application has

>> permissions to send SMS under a large heading that says "services that cost you money."

The problem is 3-fold, and categorising those affected as being somehow "deserving" is both condescending and hideously unfair.

1 - Pretty much *every* application demands a raft of permissions. As a user, you have no way of knowing *why* they are demanding those permissions, or what, exactly, the application will do with them.

2 - The user (self included) wants to run the application (it's why he / she has downloaded it in the first place, doesn't necessarily understand what the permissions mean, and is already used to simply clicking through without thought (see 1 above). So they simply click through without thought.

3 - Android doesn't give any option of "install this app, but disallow this subset of the permissions it's asking for". It's either "install the app, and give it what it wants", or "don't install the app". And the user, as previously noted, /wants/ to install the app.

I would imagine that the percentage of apps which fail to be installed at the point they've hit the "wants these permissions" screen of the installer is vanishingly small. Android's "wants these permissions" thing is far to little, and potentially worse than the "do nothing" option.

4
1
Silver badge

Users probably don't check the permissions because they're so broad as to be almost useless, and now that everything has to be "social" [b]most[/b] apps want permission to access the internet, contacts, send SMS, send email, etc just so that you can "share" everything should you really want to. The best changes Google could make would be to make the permissions more granular, and even better give the user some kind of "ask me each time" option rather than just have to agree to everything.

3
1
Anonymous Coward

Even Facebook's app wants to be able to dial the phone "stuff that costs you money". Why?

1
0

Even Facebook's app wants to be able to dial the phone "stuff that costs you money". Why?

Probably to allow the app to start a call with someone direct from your facebook "friends list" - I don't use facebook but from what I read about it trying to import as many address books as it can see then it probably stores phone numbers and as they want you to stay in their app they are probably going to have a method to find someone in the contacts list in the app and call them rather than leaving the app an going to the android contacts or having to write the number down and dial it manually.

1
0
Anonymous Coward

Facebook Home

It's so they can install Facebook Home without asking for additional permissions on that app. Home lets Facebook do all sorts of things to the Android lock screen, but it's built off the Facebook application - you need both (obviously).

FB had a choice between:

1. asking users to install a brand new application with all sorts of 'cost you money' options built-in.

2. asking users to install a new app with no permissions required at all, but update the existing app which everyone already had with all the new 'options'.

Guess which option they chose? I stopped updating FB when that happened, and I get reminded to update every so often, but my phone doesn't even support Home so why on earth would I want to enable text messaging?!

Makes me a little cross...

0
0
Unhappy

Permissions

I am appalled by the permisions 'normal' android apps ask for.

And the really intrusive adds.

I'll stick with it for a while, changing does take some getting used to, but I'll see when the next iPhone comes out if I'll jump back, really strugling to like Android so far. (Nexus 4).

2
1

Page:

This topic is closed for new posts.