back to article Android Market free-for-all blamed for malware avalanche

Android mobile malware samples have increased more than five-fold since July alone, according to a study by Juniper Networks. The ability of anyone to develop and publish an application to the Android Market – in contrast to the more restrictive model applied by Apple for iOS – is at least partly to blame for the huge increase …


This topic is closed for new posts.
  1. James 47

    What Symbian viruses? The only one I could remember was Cabir that only changed the icons on the homescreen.

  2. Michael 36

    "no one checking to see that your application does what it says"

    Nobody could have seen that as a problem.

  3. Dr. Vesselin Bontchev

    Lecture time

    1) While occasionally malware has made it into the Android Market, the vast majority of such malware comes from alternate markets and stand-alone APK files distributed by various Web sites.

    2) If malware has been installed on the user's phone from the Android Market, Google has the capability to remove it from there without requiring the consent of the said user. Remove it from the user's phone, I mean - not just from the Android Market. However, this capability is not present, if the malware has been installed from alternate sources.

    3) Lookout is exaggerating a bit, IMHO. The known variants of Android malware are about half of what they state. 400+ - not 1000.

    4) It is most definitely not true that the Android applications store model "lacks signing". Just the opposite - every app must be signed, or it cannot be installed on a non-rooted device. The problems are elsewhere: (a) the apps are signed by their producer, not by Google (for comparison, the iPhone apps are signed by Apple) and (b) there is no review process. Arguably, the app access rights model is also flawed. It relies on the user being able to decide whether to install an app that requires specific rights. Most people don't even understand what these rights mean and just allow them. In addition, there is no way of granting only some of the requested rights to the app and later granting more rights or revoking some, if necessary.

    1. Anonymous Coward
      Anonymous Coward

      Care to elaborate on why your HO is more relevant than a security company's?

      1. Craigness

        More relevant

        He's a Doctor and Lookout is trying to sell you stuff.

        But their free version is pretty good too.

    2. Anonymous Coward
      Anonymous Coward

      It is most definitely not true that the Android applications store model "lacks signing"

      and how does "i sign and agree that this will fuck your phone" help anyone?

  4. Anonymous Coward

    Warning for the idiots.

    This bullshit FUD only mentions percentages, rather than actual numbers.... Which makes it rather meaningless.

    As even the most braindead can work out that if there were 2 malware apps last month and there were 4 this month, that's a 100% increase....

    1. Anonymous Coward




      Droid fan

      1. Prag Fest


        So true, if they discovered Android regularly sends all your private data to Nigeria, clowns like Shitpeas would still try to argue it's some sort of iOS killing feature.

  5. austerusz

    Far fetched

    The comparison to Windows is just a bit far-fetched. Getting malware on your phone happens if and only if you acknowledge and specifically download & install a malicious app. It's not the simple fact that malicious apps get on the Market and it's nothing like going on the same site you've been using for years only to get you system hijacked with the help of an iframe where some malicious JS was injected.

    Still, it wouldn't hurt if Google would establish a reviweing process. Whether it involves approving apps or simply testing apps as they are added, it would still help. Or even better, it opens up a market for third-party app auditors.

    1. Tom 13

      I expect Google will eventually recognize the

      money making opportunity of a "Google Approved Android App" cert, which is available only at the Android Market place. And it leaves open the possibility of third party apps which aren't certified, but installed at your own risk.

  6. Ian Yates

    The bigger issue

    is that Google didn't really consider the need for OTA security updates initially.

    It would be a much safer platform if Google could push security fixes as separate updates, assuming the affected component was "standard".

    I try to keep my Desire at the highest OS version, but Desire development is slowing in favour of newer handsets, so I may need to eventually upgrade.

  7. Anonymous Coward
    Anonymous Coward

    And here we go...

    ...with anti-Apple geeks who frequent these threads still trying to insist that the open-for-all Android model is better.

    Not for consumers it isn't. Google will reign this shit in and "go Apple" sometime next year, mark my words.

    1. a_been

      No they wont

      Google don't give a fuck about malware, it doesn't affect their customers or their profits.

  8. Anonymous Coward

    Rate of Infection?

    The real question here should be is it’ a real problem for teh avaerage Android user?.

    If you only shop for and install apps from Google’s own Android Market orAmazon’s Appstore, are you likely to encounter it?

    I would say app infection is likely that a Trojan.

    If a couple of hundred people in the street were stopped and their phones inspected, how many would be infected as a percentage of the installed base?

    Malware is a problem on Android. But how much of one?

    Apart from the one that comes included on some handsets straight from the factory.

  9. Craigness


    Android's permissions system could be improved - made more fine-grained and have the user able to decline specific permissions before install for example - but it's good enough to prevent most malware being installed. Spyware which has a legitimate use might not be detectable, but most things are. Here's something like what people are shown when they download malware:

    Welcome to Android Market. You have chosen to install "Talking Hamster". It requires the following permissions:

    Connect to the internet

    Read system log files

    Detect running apps

    Detect phone location

    Detect user accounts

    Connect to user accounts

    Read phone identifiers

    Read and write calendar

    Read and write contacts

    Read and write SMS

    Send SMS to premium rate numbers

    Phone premium rate numbers

    Read, write and delete SD card data

    Record audio

    Prevent phone from sleeping

    Do you want to continue?

    1. Anonymous Coward
      Anonymous Coward

      Yep... that would scare the crap out of me... because I know what they are, and the consequences of their abuse.

      However, perhaps the slightly thick user or kid with a new toy is probably going to accept anyway, because they want the 'Talking Hampster' and not let a few mysterious allowances get in the way.

      There are probably enough of these kinds of users to make a zombie ecosystem worthwhile.

      I say nip it in the bud now, before this stuff can escape the kill switch and run wild.

    2. Anonymous Coward
      Anonymous Coward

      Or as the article says they could use one of the vulnerabilities in Android to bypass this completely

      "In the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware.

      Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90 per cent of Android devices being carried around today. Attackers know this, and they’re using it to gain privilege escalation on the device in order to gain access to data and services that wouldn’t otherwise be available."

    3. Gordon 10 Silver badge

      @craigness FAIL

      You are utterly missing the point.

      Normal punters won't even stop to review those and frankly there is no reason they should have to. It's a complete user experience fail.

      Reading a page of fine grained permissions is a function for geeks only.

      Expect Amazon to gain ground with their tigher controlled app store if this issue becomes bigger.

      The only thing that will stop this issue becoming like the current win desktop scenario is that the average life of a handset is much shorter than a desktop.

      Apples control freakery makes perfect sense in this case. People swap a small degree of freedom for the comfort that the only people sucking their bank account dry are their mobile telco's.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019