So don't use third party Android stores!
You are a mug if you do.
A mobile software developer has turned an popular third party Android mobile keyboard called SwiftKey into a counterfeit package loaded with a trojan as a warning about the perils of using pirated or cracked apps from back-street app stores. Georgie Casey, who runs a popular Android app-development blog in Ireland, created a …
So don't use third party Android stores!
You are a mug if you do.
Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play," writes Rik Ferguson, director of security research and communications at Trend Micro.
So there are many Android users living in blissful ignorance with a phone stuffed full of malware.
Unless Google Play address the problem it will get progressively worse.
It make Apples problems really insignificant in comparison.
But Android gives you the freedom to do so. It was mooted as a selling point.
Exactly right. It sure makes iOS and WP8 seem more trustworthy.
You can see why installing a firewall and virus checker on Android seems to be necessary.
Given that Google play itself is filled with malware as well. I have downloaded at least three that my sophos home virus scanner & my android avast scanner have detected and killed. For the record they were the gangnum style type things (can't remember the app name)
Google play store is just as bad and should be treated with utmost care.
"Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play," writes Rik Ferguson, director of security research and communications at Trend Micro."
Play probably only hosts these things for a short space of time what with Google's own virtualised testing and threat analysis, 3rd party AV efforts, and users able to report dodgy apps. And if a threat is found afterwards, Play also has a remote kill capability.
Exposure is probably minimal anyway.
WP8 has zero security holes so far, and WP7 only a minor cert related one. IOS has had over 400 vulnerabilities now - not really on the same level...Windows Phone is highly secure.
that's a lot of "probably" that you've used there
you probably won't get hit by a car if you run across the motorway, but i'm not entirely happy with the idea of doing it myself
To be fair, neither Apple nor Google have had a great deal of experience in having to keep their operating systems secure.
I'm sure they'll get it right eventually though.
"...Exposure is probably minimal anyway..."
That's arguably the *best* security policy I've ever seen/read/heard about.
"WP8 has zero security holes so far, and WP7 only a minor cert related one. IOS has had over 400 vulnerabilities now - not really on the same level...Windows Phone is highly secure."
You are an idiot. You use the term "so far" and then state "Windows Phone is highly secure" in the next sentence.
Can't you see how stupid that is?
WP8 has zero security holes so far, and WP7 only a minor cert related one.
And in comparison to its market share?
It was never " mooted as a selling point." I love how people just make shit up, the same applies to PS3 OtherOS, also something that was never promoted, suddenly has claims to be advertised as a feature (unless a single line mention in the handbook is now advertising...)
The other point is, yes, it gives you the freedom to do so, but not without first giving you a scary Malware warning that tells you that you are opening yourself up to Malware, and keyloggers and all sorts of other nasty shit.
So rather than these idiots trying to scare people into buying their virus "solution", the press should be highlighting those that encourage users to enable sideloading. Facebook and Amazon being the two biggest culprits.
WP8 is secure for only two reasons.
1/ Nobody uses it.
2/ There are no apps for it.
Thought being a mug was a pre-requisite? ;)
Hey as long as that firewall and virus checker are not also trojans!
Re-do that as a percentage. 0 out of 0 is not all that impressive?
so you didn't read the article then?
The remote kill facility can remove the initial app, but what about anything installed by that first malicious infection?
Anyone who's ever had to clean up a virus or even a program that installs third party 'crapware' knows the problems here..
"WP8 is secure for only two reasons.
1/ Nobody uses it.
2/ There are no apps for it."
Kind of why Linux and Macs are secure. This time its the Windows machine that is safe.
It's a good job that all those Linux servers and embedded devices, without which the interwebs wouldn't run, don't exist otherwise according to you they'd surely be incredibly vulnerable.
Can't say for sure about Android, but PS3 OtherOS capability was advertised, if perhaps not heavily promoted, for the original and, I believe, first revision units. At least one company, whose name I don't recall at the moment, offered a PS3 with preinstalled Yellow Dog Linux for about the same as the combined price of the PS3 and the Yellow Dog installation media. I bought a PS3 for the BD player, as Sony adoption of Blue Ray appeared to presage the death of HD-DVD, and for the OtherOS feature. I have not upgraded the Sony firmware since they removed it (and will not do so), and eliminated Sony from my hardware candidate lists, especially after their action against George Hotz.
One should really ask him/herself how this "scanning" is done? What is the algorithm to label an app "malicious"? Errors of the 1st and 2nd order, what about them? No magic algorithm exists and the numbers should be taken with a a great amount of skepticism.
Unless Google Play address the problem..
It's been addressed in the Android API already. It's called permissions transparency. Take, ths swiftkey keyboard example. It wants your sms, Internet access, phone communications . (While, another keyboard app, eg., hacker's keyboard, needs nothing of those!) Unheard of! It just doesn't call itself "fishy". One needs no keylogger malware with this one. The real problem is that it is really popular.
The only way I can see Google could improve on that is to put all potentially dangerous permissions, like reading identity, sms, Internet telecommunication, phone calls etc in flashing red font along with extra warnings and alarms when those are permissions are required.
Or more likely there is so few users out there in the wild.
A No one has bothered trying to find the holes.
B No one has used the few apps out there to see if there is any holes.
Not sure which is applicable. Zero security flaws.... That is a FAIL waiting to happen.
If I'm stuck only using the official Google store, my reason for going to Android becomes moot. It starts looking like that "walled garden" of Apple's that is supposed to be restricting my freedom so badly.
I thought the point of Android was freedom, and not being stuck with an involuntary walled garden. So now you are telling me to be safe I need a VOLUNTARY one? Make up your mind, walled gardens, bad or not? If you still can't leave a jail, does it matter if the door is locked or not?
Considering 'so far' is over 2 years, it's not stupid at all.
Market share also has nothing to do with it. For instance, Linux has a much lower market share than Windows but has far more vulnerabilities.
Windows Phone has about 160K apps now - faster than either Android or IOS got to that many...
They ARE incredibly vulnerable: http://www.zone-h.org/news/id/4737
You're not stuck using the Google Play store, but you accept that there are risks if you don't. If you aren't prepared to accept the risks, then really you should be in the walled garden (not a criticism or an insult - promise).
The trouble is this article suggests (and maybe right, I've not seen the quality of the original research) that while you may be taking fewer risks by sticking to the Google Play store you're still running a level of risk that you wouldn't be if you were using iOS or WinPho8.
To be clear, I'm not advocating the Apple/MS walled garden route as some panacea - nothing is perfect - but for many non-techies it's safer and more appropriate. For the average savvy punter on here though, the ability to understand the risks and consequences and positively accept them is a good place to be accepting also not to beef when you pick up some key logging from an obscure apps depository that you really shouldn't have used.
In the end the reason for going to Android is the same and doesn't change, but the way to approach the whole area of Apps and how/where you source them does change.
Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play,
There are more than a few things suspicious about this story.
Why is it I can't find a list of these malicious apps found by Trend Micro anywhere?
Isn't Google Play supposed to remove these 68,740 apps as a violation of their TOS?
Is this an accurate account, or is this really an attempt for Trend Micro to scare people into installing their Android security apps?
Which BTW have sweeping permissions And after the 30-day trial Trend Micro Mobile Security costs you a whopping $29.99 (.£19.75).
Wow, look at all the AC's in this thread, it's a bang'n! All out OS ~security~ comparisons, marketing share comparisons, one of them even snuck Win8 into it!
Anyways, this kid has demonstrated that running code on a computer can do things. Don't get me wrong, I'm glad he wrote this application, we now have a name to associate to malware. If you get malware, e-mail this kid with your thoughts. Anyhow, maybe his next attention getter will be demonstrating how to wreck a car if it is moving.
"Which BTW have sweeping permissions And after the 30-day trial Trend Micro Mobile Security costs you a whopping $29.99 (.£19.75)."
@BillG: Yep, seems like FUD. I have the same thought, and that thought trumps all those "statistics". Also, I don't think you can find a list because all other malware scanners are part of that list! If you think about it, wouldn't they have to be detected as such due to their nature?
Can I plug Avast! here, as you seem to get a lot of features for free.
Back to using pay phones and the BT charge card assuming either exist.
If I am going to get a virus I prefer it to be electronic
Pseudo-programmers aren't needed to prove that fact.
Another non-story from ElReg ... how about, instead, focusing on how marketards are fleecing idiots? And maybe giving the kids who might be capable of using social engineering the tools to keeps friends & family safe?
Valid point but i'll wager (myself included) those sheeple would rather the efforts be focused on stopping or helping to mitigate "attacks" like this....
If you cant trust the (goole, MS, Apple BB etc) company to provide you with clean, tested and approved software then we are all screwed...
"If you cant trust the (goole, MS, Apple BB etc) company to provide you with clean, tested and approved software then we are all screwed..."
I don't use any of the above, because I don't trust any of the above. Marketing doesn't provide clean, tested software ... rather, they sell whatever sells. And the sheeple slurp it up.
Sales doesn't equal "safe and secure". Never has, never will. Sheeple are sheeple.
OK, I'll bite. What OS/firmware *is* your phone running?
*Grabs popcorn and waits for the neo-luddite to reply
The one at my elbow is an early 1950s Western Electric 500 rotary dial. The one in my shirt pocket is a Nokia 5185. My telephones are telephones, nothing more, nothing less. They make and receive telephone calls. That's it. I'm an old UNIX hacker ... one simple tool that does the required job, and I'm happy with it.
I am a neo-luddite.
But you can't come up with a reason why I might be wrong, can you.
He just doesn't want to admit to being a Blackberry owner :)
What makes open source any more trustworthy? unless you validate the code and compile it yourself then it is no different to anything else, you're still trusting someone to be supplying you with a clean product.
It's almost like trying to buy drugs and wondering what you are getting and if the supplier is legit.
People who call others "sheeple" immediately lose whatever point they are trying to make.
Except to actual people who are capable of thinking for themselves.
"Except to actual people who are capable of thinking for themselves."
...now get off my lawn.
'People who call others "sheeple" immediately lose whatever point they are trying to make.'
And they always make me think of http://xkcd.com/1013/
Besides, the word "sheeple" is now banned because Ms. Richards will get upset.
@jake "Except to actual people who are capable of thinking for themselves."
This is exactly why you lost. You're so absolutely sure of your point of view that you are not willing to entertain any other and dismiss people who do as "sheeple".
Biting the hand that feeds IT © 1998–2017