back to article Google pulls all Android apps linked to adware badness THAT MUST NOT BE NAMED

Google has pulled multiple Android apps that relied on a popular mobile app library that posed a severe security risk. The ad library, codenamed “Vulna” (or Ap Vulna") by FireEye, the net society firm that uncovered the threat, aggressively collects sensitive data as well as being able to perform dangerous operations such as …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Pull the kill switch

    <schmidt>Android more secure</schmidt>

    1. Anonymous Coward
      Anonymous Coward

      Re: Pull the kill switch

      <troll>I post smarmy comments to sound pithy, when I really just sound like an asshole</troll>

      1. Anonymous Coward
        Anonymous Coward

        Re: Pull the kill switch

        Really? Do you even know what smarmy means? AC2 sounds like the troll, Schmidt did just say that Android was more secure. 160 million downloads seems to contradict that pretty emphatically....

      2. Anonymous Coward
        Anonymous Coward

        Re: Push the scissor switch

        <meta-meta-troll>On the internet, no one can hear you type.</meta-meta-troll>

      3. Anonymous Coward
        Anonymous Coward

        Re: Pull the kill switch

        Glad I ditched my Ad-droid phone for a Nokia running Windows Phone. It's a miles better end user experience....

        1. HollyHopDrive

          Re: Pull the kill switch

          And you won't find that problem on windows mobile since there are no 3rd parry apps ;-) [I'll await the flames - I'm joking...but somebody had to do it]

          Childish tech jokes apart, there is an element of truth in it. Fewer apps mean fewer holes. But as the windows app store grows the same issues will haunt it. You've got insagram, whataapp and ...I forget the other one all arriving soon so its gaining some traction from bigger players so expect the holes to start appearing as others jump aboard.

          And just in case you didn't pick it up from the articles this is a 3rd party library (not android os) so the same will inevitably happen on windows phone at some point.....

          1. RyokuMas Silver badge
            Stop

            Re: Pull the kill switch

            "But as the windows app store grows the same issues will haunt it." - not likely. Like iOS, Windows Phone apps have to go through a registration and clearing process before they go up on the store - the "walled garden" that so many are so quick to decry, but none-the-less does a pretty decent job of protecting the masses.

            ... as opposed to Android, where (at worst case) all I have to do is convince users to check a checkbox in the settings then download and install an app from my website that could be *anything*. Even when going through an official channel eg: Google Play, all I have to do is upload my app and hit publish.

            I'm not saying that the walled garden approach is totally secure - there will always be some loopholes that those with enough time and determination will find a way to exploit. But it is many times more secure against opportist script-kiddies.

            The tech-savvy may moan and wail about the "closed" nature of the walled garden until the cows come home - in some cases because they have a genuine need for full openness, others as just a knee-jerk reaction to anything that is closed/Microsoft/Apple/not Linux/[insert preference here]. But your average user - who knows next to nothing about keeping their device secure - is the target audience here, and Google would do well to remember this before they end up with as bad a reputation for phone security as Microsoft have/had on Windows PCs.

            1. Intractable Potsherd Silver badge

              Re: Pull the kill switch

              " ... Google would do well to remember this before they end up with as bad a reputation for phone security as Microsoft have/had on Windows PCs."

              It didn't exactly stop Windows becoming somewhat successful, though, did it?

              (OK, we're not quite comparing like with like - there hasn't been a reasonable option to Windows*, but there are options to using Android.)

              *Sorry, FOSS advocates - if they were reasonable options in the minds of purchasers/users, then there would be more being used.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pull the kill switch

      Security is the Android Achilles Heel.

      1. asdf Silver badge

        Re: Pull the kill switch

        >Security is the Android Achilles Heel.

        It didn't have to be but Google rushed the platform to market and some unwise design decisions were made imho.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pull the kill switch

      Let us know when Apple fix this will ya...

      http://venturebeat.com/2012/02/14/iphone-address-book/

  2. Anonymous Coward
    Anonymous Coward

    Can't Google remove the apps from phones

    I'm pretty sure Apple would do exactly that, whether the app users wanted it or not (and Amazon certainly isn't shy when it comes to quietly removing contents from Kindles).

    1. Lamont Cranston

      Re: Can't Google remove the apps from phones

      Quite - I was under the impression that this was well within Google's means (and seem to remember it being touted as an "advantage" of the Play store).

      1. Charles 9 Silver badge

        Re: Can't Google remove the apps from phones

        It probably was until Amazon was stung with the "1984" scandal. Suddenly, people wondered: if the app stores can remove apps from my device, what's to say they could abuse it to, say, remove sideloaded apps?

        1. Uncle Siggy

          Re: Can't Google remove the apps from phones

          "It probably was until Amazon was stung with the "1984" scandal. Suddenly, people wondered: if the app stores can remove apps from my device, what's to say they could abuse it to, say, remove sideloaded apps?"

          Like an image scraper that publishes my selfies from my photo albums to their portal?

      2. Blacklight
        Alert

        Re: Can't Google remove the apps from phones

        Quite. Back in 2010 IIRC (and as this link points out) : http://readwrite.com/2010/06/25/google_activates_android_kill_switch_zaps_useless_apps

        I'd have thought they could remove the app from the phone, unless there are paid for app issues - but if you don't "return/uninstall" an app after 15 mins nowadays, you're money is gone anyway.

        1. BillG Silver badge
          Mushroom

          Re: Can't Google remove the apps from phones

          So that's why every time I access Goggle Play store from my Android my Bing desktop shortcut is removed. Another time Google set the app to Hidden.

        2. Jamie Jones Silver badge

          Re: Can't Google remove the apps from phones

          They can still add/remove stuff - system stuff too,

          A few months ago, gmail was removed from my /system partition - I had to install the latest version as an app.

          I thought I was going mad, but they helpfully left behind a little log file showing the activity.

  3. lansalot

    ouch

    "vulnaggressive" ????

    I'm feeling vulnaggrieved....

  4. not_equal_to_null
    FAIL

    Was this written by a 14 year old?

    Did anyone bother to proof-read this in between copying and pasting from the press release?

    A few pointers:

    - Sentences shouldn't start with 'But'

    - You don't need a comma between the final element of a list and the 'and'

    - 'It can also performs dangerous operations' makes no sense

    - 'a skilled hackers' makes no sense

    - I'm not sure what 'unsecured HTTP' means. I know what unencrypted HTTP is, though...

    - There are various clunky and awkward phrases dotted around the place

    I don't claim to be anywhere near perfect, but I can at least make myself understood. Can we have this article sorted, please?

    1. Thecowking

      Re: Was this written by a 14 year old?

      In all fairness, you can start a sentence however you like, whether you like the style is up to you, but it's not unusual in less formal writing to start with "But", "However" or the like.

      I'm quite partial to the Oxford comma too, it's certainly an established and accepted bit of punctuation.

      My post probably fails to live up to so many of the rules we were taught as children too, but I rebut those rules thus: sod it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Was this written by a 14 year old?

        I have to disagree with your statement in general, although there are exceptions.

        But, is a word that generally is used to cite an exception to the previous statement and as such should really only follow a comma.

        1. Anonymous Coward
          Anonymous Coward

          Re: Was this written by a 14 year old?

          So's "however" and "on the other hand," yet these are considered improper to follow a comma. You need at least a semicolon for these if not a full period. I recall these aren't well-suited to precede an adverb (think "But lately..."). Also, one needs to consider the degree of connection between the previous and current statement, as a comma-conjunction or a semicolon imply a strong connection which you may not want if the connection is looser, but you still need to indicate that the following statement somewhat contradicts the former. What could you use besides "but" or "yet"?

        2. Destroy All Monsters Silver badge

          Re: Was this written by a 14 year old?

          Next you will us that one has to put the period in front of terminating parenthesis?

          But no (or yes?)

          1. wowfood

            Re: Was this written by a 14 year old?

            But what about sentences like this?

      2. not_equal_to_null

        Re: Was this written by a 14 year old?

        I admit I may have been a little harsh, but the overall article was quite difficult to get through. I'm not asking for perfect formal English, but a level of readability consistent with the rest of this fine site would be appreciated.

      3. Anonymous Coward
        Anonymous Coward

        Re: Was this written by a 14 year old?

        Well said. I could care less that some don't like such sentences, so I'll be using them irregardless.

        1. Jamie Jones Silver badge
          Headmaster

          Re: Was this written by a 14 year old?

          COULDN'T!

    2. Flywheel Silver badge

      Re: Was this written by a 14 year old?

      " 'It can also performs dangerous operations' makes no sense"

      From the Borat School of Jornalism. Obviolsy.

    3. Michael Thibault
      Stop

      Re: Was this written by a 14 year old?

      @not_equal_to_null

      "- You don't need a comma between the final element of a list and the 'and'"

      Such a comma is permitted if your style manual allows for it. It's optional, in other words.

      When introducing a list with a colon, it's usual to separate items in that list with line-final semi-colons (ignoring the line-initial character, or any capitalisation on the items, for the moment). Furthermore, the semi-colon after the penultimate item in the list is usually followed by " and"—and, of course, the list is terminated with punctuation of some kind, usually a full stop.

      1. not_equal_to_null
        Thumb Up

        Re: Was this written by a 14 year old?

        If you re-read my post, you'll notice that I wasn't actually trolling (though I did leave myself well open to the light roasting).

        It's just that I've seen more and more articles like this recently - I'm sure I'm not the first to pick El Reg up when they slip from their usually high quality, and I certainly won't be the last. The pedantry endemic to the commentarati is what makes this place, after all.

        1. frank ly Silver badge

          @All of you. Re: Was this written by a 14 year old?

          I'm wondering about the viability (and advisability) of outsourcing the proofreading and correction of El Reg articles to the commentardiat. There would need to be some parameter tweaking by the official Reg staff and some heavy initial scoring, along with an algorithm for determining which commentards were given the tasks, etc. You know what would be needed ......

          Grammatically correct responses would be appreciated.

          1. Anonymous Coward
            Anonymous Coward

            Re: @All of you. Was this written by a 14 year old?

            For reasons I cannot identify, I was lead to read this post with an 'internal voice' of someone quite drunk. (I'm pretty much teetotal.) No offense to the author, of course, but ... interesting.

  5. Mike Moyle Silver badge

    ...But, then again...

  6. DrXym Silver badge

    What software is it

    I wonder why nobody says what it is.

    1.8% is a lot of apps so I assume it's one of the more popular replacements for admob. But given the horrific set of permissions most adware libs demand, I'm surprised many app authors would ever use them. The potential for abuse (and the damage to the app's reputation) must be pretty high.

    1. Vector

      Re: What software is it

      Yeah, it's nice that they've contained any future damage, but could we please have a list of the affected apps! Just because updates have been made available, doesn't mean they've been installed and I, for one, don't like allowing auto-update. I'll update (or remove) the affected apps if I know what they are and if I have them.

      1. Wize

        Re: What software is it

        We should be told to ensure we are not on the list of compromised people. I would prefer to change my passwords everywhere now if I knew I had been snooped than wait till they start using what they slurped.

        Maybe someone should start cataloguing the Google App Store so we can see what has vanished.

  7. sabroni Silver badge
    Happy

    Quick googletards!

    Hijack this thread to bitch about punctuation before anyone notices how badly Google have fucked up!!!

  8. nematoad Silver badge
    Big Brother

    Hmmm

    I think that the developers of Vulna missed an opportunity.

    They should have sold it to the NSA, it's just what that organisation is looking for.

    Or wait, perhaps they did after Edward Snowden legged it.

    1. Irongut

      Re: Hmmm

      Maybe that's why FireEye are not naming the library or the developer, it is the NSA.

      1. Destroy All Monsters Silver badge

        Re: Hmmm

        NO SUCH APP!

  9. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    Sorry I'm late!

    1. RyokuMas Silver badge
      Paris Hilton

      Re: Surprise!

      Late? Try plain wrong...

      Trouble is that everyone is bitching about Microsoft's lack of security in the past and just not realising that exactly the same thing is happening all over again with Google and Android.

      Stop living in the past and focus on what has the potential to become a Windows-sized security problem on mobile!

      1. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        > Stop living in the past and focus on what has the potential to become a Windows-sized

        > security problem on mobile!

        Potential? I think we're pretty much there - not least because Google have limited appetite not to let it happen. Given Google's business model with Android, so long as droids continue to be activated and linked to Google accounts, why *should* they care?

      2. Michael Thibault
        Big Brother

        Re: Surprise!

        No surprise if the black-hatted ones move as double-plus-quickly as possible to ensure that each and every planted bad-thing stays where put for as long as possible. (Time is money, after all.) There being so many new, neat, and nifty things you can do with the data to be found on mobile, the problem is likely to end up being much, much bigger than security on Windows was.

    2. Destroy All Monsters Silver badge
      Holmes

      Re: Surprise!

      Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

      People need to give themselves a shake and stop using MS products!

      I'm pretty sure I have seen this posting a few times in the past in Apple or Android or Linux threads.

      An evil bizarro leprechaun version of Eadon?

      1. Anonymous Coward
        Anonymous Coward

        Re: 3 upvotes!

        See! I said it would get funny if I did it enough!!!!

        Running gag FTW!

  10. dajames Silver badge
    Headmaster

    Why am I not surprised ...

    ... that a library named "wound" does harm?

    I can't help feeling that if I were distributing a library that contained malware I'd name it for something warm and comforting , rather than "wound". We can hardly claim not to have been warned!

    [Latin: vulnerare: to wound or pierce with a weapon.]

    1. Destroy All Monsters Silver badge

      Re: Why am I not surprised ...

      I thought that's the keyword for the unnamed library.

  11. Scott 62

    I've only just realised that it is being referred to as "Vulna" yet I've been reading it as "Vulva" over the last couple of weeks.

    1. Destroy All Monsters Silver badge

      Welcome to the club. The couch is over there.

      I fear what a "vulvagressive" encounter could do. It sounds dangerous.

      1. Philip Lewis
        Coat

        No problem, as long as you not on the receiving end

      2. Captain DaFt

        I fear what a "vulvagressive" encounter could do. It sounds dangerous.

        I hear it involves a whip...

  12. WatAWorld

    Write an app to detect and report vulnerable apps

    Sounds like someone could make some money from an app to detect and report known vulnerable apps.

    Not a virus scanner, just something to check for the presence of the known vulnerable apps.

    1. Jamie Jones Silver badge

      Re: Write an app to detect and report vulnerable apps

      There's one already, annd it's FREE - not only can you get it to scan all installed apps, it can also scan apps as you install them.

      It can even be set to link in with the 'play store' app, and warn you about an app when you simply visit it's store page.

      Whilst its name gives clue to it's original purpose, it now covers most (all?) of the main ad providers, and also reports generic suspicious activities (e.g. 'Warning: The ball-bounce game you have just installed has permissons to raid your bank account and take the soul of your first born' etc.)

      I don't know if it particularly targets this 'unnamed ad sdk' but it probably does - a note to the developer could confirm this.

      I have no affiliation, just a satisfied user etc.

      More details, and link to the play store here:

      http://www.appbrain.com /app/appbrain-ad-detector /com.appspot.swisscodemonkeys.detector

  13. Gannon (J.) Dick

    Rogue ___Developers___ Strike Google Again

    About time for a Template.

  14. Shannon Jacobs

    the google is now officially EVIL

    In theory, the google has the information to warn you if you may be at risk. In reality, guck foogle and the horse you rode in on.

    Here's a related story from Japan. It's from a couple of months ago, which mostly proves that the google is too EVIL to fix or even look at such problems even AFTER the barn door has been left open.

    Today I'm actually in the same prefecture where the criminals were arrested. There were (at least) 7 of them (as reported to the public), led by a poker shark, which I translate as a professional gambler and probably yakuza (a kind of professional criminal in Japan, sort of like being in a biker gang, but generally with better discipline). The scam involved a number of Android apps, some of which had apparently been available on the Google Play website for a long time. There were a variety of apps, none of which were labeled "software supporting crime". Surprise, surprise.

    After the story hit the papers and Web, I actually contacted the police to see if they could identify the apps. The vague report indicated that several of them were games of the sort that I might have tried for the sake of Japanese study. I'm not surprised that the police couldn't answer, but I also pursued the matter with the google. I accept that the police are not especially competent when it comes to cyber-crime, but the google has no excuse save being EVIL.

    By the way, I used to think it wasn't the google's fault. They are forced to play the game by American rules, which means according to laws that are written by the most easily bribed politicians working for the (tiny minority of) least ethical and greediest businessmen. Of course large American companies are basically forced to become evil just to survive. Then I found out that the google has become a large, probably the largest, lobbyist among high-tech companies. That is the google's fault. EVIL is as the google does.

    Why not tell us if we are at risk for the crimes the google sponsored? Evidently because we don't work for the NSA.

  15. MrRtd

    OK, why wasn't this something all the security software providers were all over? I would think, especially those who pay for their security software, that they should have been notified of this security breach in the apps that they scan. On the other had I am certain that the security software industry is in the Android market just to turn a quick buck while providing minimal if any security at all.

  16. Dave Lawton

    Is there any third party evidence that it's real ?

    Anybody ?

    FireEye don't seem interested in allowing comments on their blog, nor posting information on the apps that were removed.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019