The infection point is thought to be third-world app stores.
FIFY
Security researchers are warning about the continuing spread of Hummer, a powerful trojan that roots handsets, downloads pornographic applications, and displays pop-up ads at random intervals. Hummer first came up on the logs of Cheetah Mobile's security team in August 2014, but spent eight months in obscurity before starting …
"The infection point is thought to be third-party app stores. While Google has largely cleaned malware out of its official Play store, secondary markets are less careful about checking code and Hummer can be disguised as a legitimate-looking app." - The problem with any third party app store, not just Android, is how aggresseve are the owners/admins about removing malware and crapware and generally policing the site. This can occur with any OS when one is uses unofficial sources for applications.
>The problem with any third party app store, not just Android, is how aggresseve are the owners/admins about removing malware and crapware
Unless you take F-Droid's tact and require all apps to be open source. That way the users can look too and flag anything untoward. Though admittedly requiring open source will generally stop baddies from even trying and probably the biggest deterrent is it being a repo used by far less than 1% of users who tend to be some of the most security conscious and technical so very high hanging fruit.
Do you know the Underhanded C contest?
You don't have to write a malicous app to be obviously malicious. You can just disguise an attack vector as a bug and if discovered: "Ooops!! Who could've known this would lead to remote code execution! Totally fixed" And then introduce a similar vector a few patches later.
>Just making something Open Source isn't the end-all and be-all of security.
Yes I know Android itself is proof of that (though can't remember if those nasty MMS exploits where in strictly AOSP or not). My point was simply F-Droid is very high hanging fruit in general and for at least techies that can get away with using only F-Droid instead of the Play Store (and even better get away without a Google account at all, spyware that makes you login) they will be better off security wise. I understand no Farceb0rk or whatever app in F-Droid means excluding 95% of the population but more speaking to the audience on this site.
Malware is getting better, and starting to become more profitable. All you need is something like this that lies dormant for a few months before 'waking up', that manages to get included in some Android apps in the Play Store - probably via a library multiple apps will include like something for advertising.
Hit the wakeup day and suddenly 50 million phones are infected with something that is effectively impossible to remove, where you have to live with it unless you want to buy a new phone.
Not saying this is impossible to happen to iOS, of course, as that would be the more lucrative target, but the restrictions Apple places on what apps can do would make this trick harder to achieve - and Apple could deliver an iOS update to kill something like this off within a few days.
>Why buy a new phone, when firmware flashing is enough?
Indeed, why is there no during-boot button combination which drops you into a really simple rom which gives you the option of deleting the disk volume and starting from scratch or downloading from either a fixed or user-specified URL
Ah yes, they would be the urge manufacturers have to get you to buy a new phone rather than upgrade your existing one. That's the root of the problem with not being able to do clean installs. Its a vendor problem. It would be so easy to do a fresh install, sign into your store and pick which apps you'd like to re-install and which ones you think might be dodgy.
They do. Every Android handset ever released has been able to, infact. With the phone powered off, hold the power on button and the volume button - Voila, bootloaded which allows you to factory reset, wipe the phone back to factory settings, etc. :-)
Indeed, why is there no during-boot button combination which drops you into a really simple rom which gives you the option of deleting the disk volume and starting from scratch or downloading from either a fixed or user-specified URL
You realize you just described clockworkmod - the cornerstone of the Cyanogen ecosystem.
Why buy a new phone, when firmware flashing is enough?
For Reg readers, sure, a firmware flash is an option. Not so for the typical smartphone customer, if you think it is you vastly overestimate their technical competence. These are people who bought new PCs by the tens of millions each year because malware infected their old one and made it "slow", even though reinstalling Windows would have licked that problem.
As for the factory reset, the article says the factory reset may not be enough. If you hide code needed to reestablish the infection in the firmware, re-flashing is your only way out. And that's simply not something the typical Android user is going to be able to do.
I should add the key to its long term survival would be making it so it doesn't really hurt the phone owner that bad. Nothing that makes it super slow, runs up your data bill, texts premium numbers or stuff like that. Just have it "click" on ads silently, and rely on sheer numbers to make money for you. You don't even have to care if all the ads are yours - in fact you don't want that so it isn't immediately obvious who is behind it.
From my perspective this would even be a good thing, as anything that makes mobile advertising less valuable is a good thing in my book!
>These are people who bought new PCs by the tens of millions each year because malware infected their old one and made it "slow"
In their defense windows up until at least Win 7 with the registry naturally accumulating lots of crap tended to over time make itself slow as well.
There is precedent for them creating updates for older versions of iOS, they did so a couple years ago when they introduced a security update for iOS 6 six months after iOS 7 came out. If there was some serious malware they'd very likely do something similar - though perhaps not all the way back to iOS 6.x as the number of 3gs devices still in use has to be a rounding error at this point.
And next to that, we have companies pushing selfie-logins by touting that the mobile is a "trusted platform".
<shakes head>
How come this malware always seems to be able to root a large proportion of handsets from all sorts of manufacturers without user intervention, without any obvious changes, certainly without a wipe but I can't always manage that even knowing the exact model, booted in to recovery with ADB connected?
Two possibilities occur:
- I suck
- This only really affects Chinese knock-off phones running unpatched Android v0.9. Therefore we don't really need to worry about it.
Its coming from 3rd party app stores with counterfeit apps. No matter how good your security is, you still need to give fairly high-level rights to a user when they are installing an app. Combine this with the fact that a very large portion of users don't bother paying attention to the permissions that an app is requesting, and you end up with malware getting installed despite any security protections.