back to article Android users installed 2 BILLION data-stealing, backdooring apps

Users have downloaded more than two billion data-stealing Android apps, while large swathes of enterprises are reportedly housing malicious iOS apps, according to security firm Proofpoint. The firm found some 12,000 malicious apps across 'authorised' Android app stores, with code to steal data, create backdoors, and wreak …

  1. Anonymous Coward
    Anonymous Coward

    I think I need to get off the train.

    I'm spending increasing amounts of my time scouring websites, manufacturers pages, digital publications and more to keep up to date on the warnings concerning problems with the software and firmware in my PC, my phone, my car, my router, my NAS, my TV and every other bit of kit that seems to have some vulnerability exploited every other day.

    It's turning into another fulltime job.

    1. Mikel

      Re: I think I need to get off the train.

      For your mobile, just stick with Google Play or Apple and you'll be fine. It's your PC that is the malware horror. But the PC antimalware industry wants a piece of this HUGE mobile pie so they will trot out the bogie man. Yes, people in third world countries sideload pirate app stores and apps from random sites or even unsolicited emails and get what you would expect. That has nothing to do with you. You might as well not be using the same OS as them.

  2. allthecoolshortnamesweretaken

    Disconnect, downgrade, simplify... at least some of it.

    1. Voland's right hand Silver badge

      Ads... bless... em...

      Unfortunately some of the malware (sorry, advertisement) distribution networks are so pervasive that the only way is to disconnect. That in turn means half of the programs on the phone to stop working as they are deliberately designed to ensure that the connection to the ad-servers is always on.

      1. Mark 85

        Re: Ads... bless... em...

        I would guess then that the Facebook app is the big malware?

    2. P. Lee

      >Disconnect, downgrade, simplify... at least some of it.

      Indeed. Mobile nearly all goes in the "if I'm doing it properly, it isn't worth the effort" basket.

  3. Pascal Monett Silver badge

    Hang on

    "users who download apps from rogue marketplaces - and bypass multiple security warnings in the process "

    So, you have to go to a rogue marketplace, meaning you have to root your phone because otherwise you can't download from there, then you have to decide to ignore all the security warnings (pretty much a given at that point, I guess), and then you're surprised you got pwned ?

    That's like deliberately walking at night in the shadiest part of the city and being all surprised when you get mugged.

    Sheesh, I'm starting to think that mobile phones lower your IQ by a fair number of points.

    1. Voland's right hand Silver badge

      Re: Hang on

      meaning you have to root your phone

      On android you do not - you just have to turn off app signature verification in settings.

      In any case, color me surprised, data theft occurring on a platform whose primary monetization method is data theft.

    2. goldcd

      Not on Android

      Just try and run an APK you downloaded, you'll get a popup telling you basically "this isn't from google play, do you want to enable third-party installs", say yes, and you're away.

      It's a benefit (I can compile my own stuff and run it) or I can install Amazon's, rather than Google's app market place - but seemingly some people consider this an ideal way to install hacked apps from random Chinese servers. Reap what you sow.

      1. Pascal Monett Silver badge

        @goldcd

        Oh, okay, thanks for the heads-up. I thought the phone had to be rooted.

        So it's more like taking a taxi to the worst part of the city, having the taxi driver say "you sure ?", confirming and then complaining about getting mugged.

        How reassuring.

    3. Grikath

      Re: Hang on

      "Sheesh, I'm starting to think that mobile phones lower your IQ by a fair number of points."

      No need.. The same people that were great at bollocking up their PCs through <clicky>-ohdear!, now own and operate the mobile stuff...

      It's a shift in population to handheld stuff, not a shift in general st00pidity.

    4. Mikel

      Re: Hang on

      I hear Microsoft has an Android keyboard now. I would nominate that one for Trojan malware data stealing backdooring app of the year

  4. Anonymous Coward
    Anonymous Coward

    Android 6 has made a big difference for me. I never installed apps that required permissions for things it shouldn't have, apart from those from the big boys that I found useful. Now I can refuse access.

    It's not going to last long though: one of the google background processes demands access to one of the sensors in the phone (I forget which one) and pops up a message every time you use it if you deny that access. Loads of apps will stop working in future if you do similar things.

    I'm glad I bought my MotoX though - Android 6 was offered to me 2 weeks after I bought it. My last phone, a gen 1 Moto G, was upgraded from 4.x to 5.0 then 5.1. I'll never buy anything from Samsung again - not a single upgrade, not even to patch security holes. Crapware-riddled overpriced shite.

    1. Sheddyone

      Agree about Samsung

      Totally agree about Samsung. I bought my first and probably last Sammy, an S5, last year as a distress purchase, after my much loved HTC One M7 died in action.

      While the screen is amazing and the battery life is good, everything else is rubbish; no FM radio, world's crappiest UI, world's cheapest looking phone (a £500 phone disguised as a £99 one), and so full of manufacturer crap that the 16GB RAM is full, so I have to keep uninstalling apps to add a new one. And now the long wait for Marshmallow.

      I'll be hunting for a new phone this time next year and could do with some suggestions. Must have 5” + 1080 or QHD screen (ideally AMOLED), good camera, NFC, FM radio, light touch UI or vanilla Android, 32GB RAM, good battery life, USB-C. Ideally, I would also like waterproofing and SD card. Not fussed either way about removable battery or wireless charging.

      The Xperia Z5 ticks many of these boxes currently. Hopefully I will have a few more options next spring. Sadly HTC seem to have lost the plot.

      1. Dave 126 Silver badge

        Re: Agree about Samsung

        It sounds like a Sony Xperia will tick moist of your boxes. They are pretty good at updates as well - not the quickest, but I've had one Xperia that's updated across three Android versions. (Not that I jump on the update as soon as it drops - I prefer to hold back a month or two and see on forums how other users fair with it first)

        1. Martin
          Headmaster

          Re: Agree about Samsung

          how other users FARE with it

          fair - noun: place with roundabouts

          fair - adjective: even, just; also colour of hair

          fare - verb: get on with, manage

          fare - noun: food etc; also amount paid for travel.

      2. truetalk

        Re: Agree about Samsung

        I once had the first Samsung phone, a GT-I7500 and vowed never to use a another Samsung phone due to how buggy it was and Samsung refusal to upgrade the firmware. Every phone since I've had an HTC currently on M8 running Android 6, HTC do upgrade Android and as long as they keep doing the firmware updates, my next phone will very likely be another HTC.

  5. Charlie Clark Silver badge
    Thumb Down

    Sloppy

    Headline says installed, text says downloaded. World of difference. Unfortunately this is typical for Mr Pauli's writing.

    Also, 2 bn sounds like a lot but apply some analysis to the numbers: how many Android phones are there?

    The Kapersky numbers sound more credible 90k breaches from many hundreds of millions of phones. How does that compare with Windows?

    1. I ain't Spartacus Gold badge

      Re: Sloppy

      That's not breaches against numbers of phones, but breaches against numbers of phones running security software capable of detecting them - and/or where somone's downloaded a ransomware removal tool. Which is a much smaller subset.

      I'm still surprised by how few though. Given Google's awful update policy, I've been expecting a big outbreak for a while now. But I guess phones aren't networked in the same way as office PCs - so wide transmission is more difficult - and everyone learned something from the outbreaks of things like Melissa and I Love You back at the beginning of the last decade.

      1. Charlie Clark Silver badge

        Re: Sloppy

        That's because most of the possible exploits require almost lab conditions to work.

        MMS exploits are expensive to run. The rest require tricking people into side-loading apps.

        I suspect standard phishing attacks offer a better return on investment.

        Still, anything that forces the manufacturers to up their game when it comes to providing security updates is more than welcome.

  6. Dave 126 Silver badge

    Pies, damned pies, and...

    >The statistics are surprising since iOS is generally more secure than Android on account of its restricted application installation controls.

    What statistics? All the previous paragraph meant was that "about 40 percent of large enterprises [which being large presumably a fair few iPhones] sampled by Proofpoint" had at least one iPhone running at least one malicious app.

    There is no way of extrapolating from that statement what percentage of iPhones have malicious apps installed, beyond "more than zero", so I can't be surprised or otherwise.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pies, damned pies, and...

      They don't say what they consider to be 'malicious' apps. An app that tricks you into providing your bank details or iCloud login is a lot worse than an app that tricks you into giving up your phone number.

  7. Anonymous Coward
    Anonymous Coward

    tinder

    Does this mean I have to uninstall Tinder now?

  8. Anonymous Coward
    Mushroom

    Proofpoint TAP Mobile Defense

    has a very impressive Web Footprint:

    Proofpoint TAP Mobile Defense

    Why do I get the sense that there's some undisclosed monetization incentive behind this new and very panicky white paper/study/report? Fear sells.

    Yes, people will unwittingly install malware on their devices and yes Proofpoint is trying to make a buck or two by selling an "Enterprise-Grade", overpriced, Android anti-virus whose GooglePlay equivalent can be purchased for $3.99.

    That number of 2 BEELION!!! malware apps installed on "Enterprise" mobile devices, that number makes me think Enterprise-Grade Pinocchio.

    1. Anonymous Coward
      IT Angle

      Re: Proofpoint TAP Mobile Defense

      "Discover .. what Office 365 does and doesn’t do for security, litigation and compliance" ref

  9. Anonymous Coward
    Linux

    Malicious apps on authorised Android app stores?

    "Our analysis of authorized Android app stores discovered more than 12,000 malicious mobile apps"

    What were the names of these 'authorized' Android app stores and who authorized them?

  10. Anonymous Coward
    Anonymous Coward

    94,344 users?

    Kaspersky Labs reports "94,344 were users hit with mobile ransomware".

    That's a very precise number. My brother, the conspiracy theorist, thinks most malware is the creation of antivirus software vendors as it is.

    The wording of the article seems to suggest Kaspersky somehow know exactly how many users were hit.

    Coincidence perhaps?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like