back to article Google yanks fake Android battery monitor

Zscaler has spoiled someone's app-spoofing sting, discovering a fake battery monitor app on Google Play. Worryingly, the spoof app seems to have gotten past Google's self-lauded Bouncer app vetting system. The company reckons the malicious version of the BatteryBot battery indicator app was probably trying to put together an …

  1. Pascal Monett Silver badge

    "its intentions were revealed by the permissions it seeks (basically, everything)"

    Um, if I remember correctly, that seems to be the case for almost every app I have ever installed on my phone, so no, that doesn't reveal anything in itself.

    But kudos for monitoring the app's activity and nailing its nefarious nature.

    Now find the authors and flog them good. Maybe that'll give them some incentive to not do that kind of thing again.

    1. Anonymous Coward
      FAIL

      Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

      No...not true, I mean take this torch app. To turn on the LED light all it needs is:

      retrieve running apps

      modify or delete the contents of your USB storage

      read the contents of your USB storage

      take pictures and videos

      Wi-Fi connection information

      view Wi-Fi connections

      Device ID & call information

      read phone status and identity

      receive data from Internet

      control flashlight

      change system display settings

      modify system settings

      prevent device from sleeping

      view network connections

      full network access

      plus a dash of:

      Updates to Brightest LED Torch may automatically add additional capabilities within each group.

      You need all that to turn on the light.

      https://play.google.com/store/apps/details?id=com.intellectualflame.ledflashlight.washer

      1. Anonymous Coward
        Anonymous Coward

        Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

        Two down votes (the usual Google Marketing droids are online again).

        Seriously, state facts about something bad with a Google "product" and you almost can be certain of two down votes.

        So c'mon Google marketing droids, why the downvotes? Do you REALLY think a torch app should be able to modify the contents of my USB storage? Or was it the fact it needs to know about my Wifi?

      2. eJ2095

        Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

        Missed out take a selfie of your self as well (Passport style) and add your name and address

    2. Anonymous Coward
      Anonymous Coward

      Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

      I concur, even simple apps like "light" or "mirror" want to know everything which is why I don't install them or use "App ops" to remove said permissions.

      I do think google needs to have some sort of policy surrounding permissions.

      1. Phil O'Sophical Silver badge

        Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

        It is a pity that Android doesn't seem to have a way to selectively accept the permissions an app requests. There are times I've seen an interesting app, but when I see the permissions it wants I won't install it.

        These aren't necessary malicious "give me TOTAL POWER" apps, but otherwise innocuous ones that want, perhaps, location or camera access. Maybe I would find the non-location or non-photo features sufficiently interesting to keep it, if I could say "OK, I accept all these permissions except 'x' and 'y', but I can't. All-or-nothing usually means it gets nothing.

        1. Anonymous Coward
          Anonymous Coward

          Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

          "It is a pity that Android doesn't seem to have a way to selectively accept the permissions an app requests. There are times I've seen an interesting app, but when I see the permissions it wants I won't install it."

          Android M does.

    3. KBKarma

      Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

      The real BatteryBot Pro app has the following permissions:

      Read contents of USB storage

      Modify or delete contents of USB storage

      Run at startup

      Control vibration

      The free version has the following:

      Run at startup

      So, the fact that the malicious one tried to get all of the permissions is a big red flag.

    4. viscount
      Unhappy

      Re: "its intentions were revealed by the permissions it seeks (basically, everything)"

      Totally agree: most apps seem to ask for a plethora of weird and wonderful permissions. As a normal user you have no chance of spotting a malware app, and Android does not allow the user to control what the app actually has access to on their phone.

      Some apps do a great job of explaining why they need what they ask for (e.g. the BBC News app) but most make no effort at all.

      Eventually there will be a huge scandal with a dodgy app and Google will need to rush out a change to allow granular control.

  2. Colin Bull 1

    Follow through ...

    So are Google Play going to advise everyone that downloaded the app that they have been proned. And give them instructions to remove it ?

    1. Pen-y-gors Silver badge

      Re: Follow through ...

      "advise everyone that downloaded the app that they have been proned..."

      YOU! Lie flat on the floor NOW!

  3. Captain Underpants

    To me this illustrates that, Google Play vetting aside, the real problem that Android has (or at least, has had - I've not used Lollipop yet) is the lack of ability for a normal user to control what permissions an app gets. It used to be possible to do this in the likes of pre-Gingerbread CyanogenMod, but due to a change in how permissions were handled they pulled the functionality on the understanding that it was going to be baked into vanilla Android imminently.

    We're now several years on from that point and still facing the scenario where, if I want to tell an app demanding network access that it's not getting it, I still have to put non-trivial effort into doing so even after I've gotten root access on the damn device.

    I think there's real value in allowing users the option of sideloading apps and stepping outside of the Google Play garden (because it differentiates the platform from iOS in a significant way); but for this to work, users have to also be confident that they have absolute control over what permissions are granted to software they install.

    1. Dan 55 Silver badge

      Privacy Guard is part of CM10.2 upwards (Android 4.3 upwards).

    2. S4qFBxkFFg

      Captain Underpants:

      The reason why, is that that allows users to do things like remove ads (which is the main reason I installed a firewall in the first place...).

      1. Captain Underpants

        @ S4qFBxkFFg

        True enough, I've done the same thing myself. (The decidedly unsophisticated way around it is to enable flight-mode before launching whatever it is that you want to skip the ads on...).

        Having said that, I recall seeing free games with ads embedded in them that incorporated a check that prevents loading the game unless they're allowed to contact the ad server, which seems a better solution to me. There's no reason an app couldn't have similar checks and interface with the OS to prompt the user for the required access; at least that way you get a (hopefully informed) choice as to whether you want the app to have that access or not.

        1. Anonymous Coward
          Anonymous Coward

          You can (for the apps/games I've installed) get around that by having the network enabled when starting the app/game, and then disabling the network and deleting that seed ad's mp4 file that was downloaded.

    3. Anonymous Coward
      Anonymous Coward

      To me this illustrates that, Google Play vetting aside, the real problem that Android has (or at least, has had - I've not used Lollipop yet) is the lack of ability for a normal user to control what permissions an app gets.

      Android M does

      1. Captain Underpants

        @AC: "Android M does"

        It's a move in the right direction, but it's also only a developer preview thus far, so not really much use to the general public (and unlikely to become one for anyone whose device is more than about 6 months old, given the general experience of trying to get older devices to run newer versions of Android...)

        Actually, that's been my other big frustration with Android (and the real reason I'm not willing to get too dependent on it) - the utter failure to backport fixes. I know a significant part of this is down to carriers, but still - it's a bloody horrendous state of affairs. I'm not asking for a ten-year lifespan on a phone or tablet, but sw updates for more than 1 year would be nice.

        Edit: another reason it won't fix the problem in the hurry: "Only the applications compiled for Android "M" using its software development kit (SDK) will use the new permission framework, while all other applications will continue to use the previous permissions model." (Quote from Wikipedia, source is this anandtech article.) Unless the Google Play Store clearly differentiates apps that use the new model from those using the legacy model, it basically means that shitemerchants will just continue using older SDKs and do exactly the scummy stuff they're already doing.

        1. Dan 55 Silver badge
          Flame

          Well that's just bollocks. * CyanogenMod, MIUI, DonkeyGuard, and XPrivacy work with the old SDK as did Google's own short-lived App Ops.

          What Google have done is give advertisers (and malware peddlers) a hole big enough to drive a bus through, by design.

          * Not your post, Google's design.

          1. Wolfclaw Silver badge
            Unhappy

            No, what Google have done, is give advertisers a hole big enough to drive a bus through to ensure the droid gets it advertising revenue kickback and the malware peddlers have jumped on the bus without paying.

    4. Jamie Jones Silver badge

      My tablet came with an additional hook into security.

      You install an app as usual, but when using that app, each time it tries to use a permission you are prompted via pop up "allow once/allow always/deny once/deny always/close app"

      The 2 'always' options could additionally be set to show a notification toast when triggered.

  4. Dabooka Silver badge
    Stop

    Permisisons stop me downloading SO many apps

    They simply don't need them, and the one with more reasonable demands makes it on to my phone. Take Autotrader and compare that to Motors; guess which one didn't get installed.

    It's scary how blind people are though, and even if you mention the permissions requested it's usually met with a nonchalent shrug.

  5. Tony W

    Will no-one think of the ads?

    Fixed permissions are needed so devs can make money from ads which is fair enough. But the only permission they need for this is Internet access, so there doesn't seem to be a good reason why other permissions shouldn't be controlled by the user.

    Apart from that, surely no app in the stupidly named play store should be able to make itself ununinstallable?

    1. Blane Bramble

      Re: Will no-one think of the ads?

      @Tony W

      It should be simpler than that. There should be an "Application is Ad Supported" permission that only allows access to retrieve and display ads. No general internet access, no additional permissions required.

      1. Anonymous Coward
        Happy

        Re: Will no-one think of the ads?

        That would require a list of ad networks to be maintained/updated by an ad network (Google.)

  6. naive

    Google is to blame

    There can be only one... Google, being an enthusiastic Android user myself, it is sad to see this happening:

    It is google not checking app permissions.

    It is google allowing dodgy apps in the shop without so much as a quick overview.

    It is google not forcing OEM's to follow Android upgrades for 3 years.

    It is google giving the illusion that google play is something else then a flock of vultures feeding on the corpse of privacy.

    The way google deals with Android is hard to understand, they have 80% world wide market share, but do nothing better then piss on it. Given the fact Android is free, it is another proof that people get what they pay for.

    1. Gob Smacked
      Facepalm

      Re: Google is to blame

      "Given the fact Android is free, it is another proof that people get what they pay for."

      So, what is your point exactly then?

  7. werdsmith Silver badge

    recall a furore a year or two back with people making indignant posts on social media because of all the invasive permissions that the iOS Facebook Messenger app was asking for. People were declaring it evil, stating that they were uninstalling it immediately and advising everybody to do the same.

    Two weeks after that cacophony died down, FB Messenger was number 1 on the iOS download list as those people that had deleted it were reinstalling it.

    1. Anonymous Coward
      Anonymous Coward

      Fanboi lemmings, as usual.

    2. Anonymous Coward
      Anonymous Coward

      Confused...

      I think the platforms have been mixed up here...

      To install Facebook Messenger on Android you *have* to give it permissions to get all of your contacts, see your location, look at your photos, read all of your text messages and a host of other things.

      On iOS, nothing except "Messages" can read your messages and - like all iOS apps - it has to ask for permission to see your contacts (denied), see your location (yeah, OK) and view your photos (denied) and these can be provided on a per-app basis with the setting changed later if required.

      Messenger functions fine without full access to everything on iOS... but you don't have the option on Android. It's all permissions to install, or if you don't agree to any, you have to forego the app.

  8. TeeCee Gold badge
    WTF?

    Hmm.

    ....the app is hard to delete – with admin privileges, it's beyond the ordinary user, and there's an extra nasty. A separate persistence package called com.nb.superuser runs on a different thread and survives deletion of the main app.

    So the Android uninstall process doesn't then? Sounds like there's a sodding great hole somewhere in the Android security model if it's even possible for a user app installation to root the bloody thing to that extent.

    Fixing that would be a good start to preventing this sort of thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm.

      Who knows what "admin privileges" means?

      Could be root, but that would need you device to be rooted and accept that it installs with root permissions, or it could be trying to install as a device admin (similar to security software) but that would throw up a whole new warning flag.

      Either way most people would be unlikely to fall for it, I would suggest - non-tech users would not be rooted.

      1. Anonymous Coward
        WTF?

        Re: Hmm.

        "or it could be trying to install as a device admin (similar to security software) but that would throw up a whole new warning flag."

        "Either way most people would be unlikely to fall for it."

        Your new to computing I presume?

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmm.

          Their what is new to computing?

          Oh you meant "you're"...

  9. ST Silver badge
    Mushroom

    Congratulations to Google

    and its app store, for making Windows 98 seem like an impenetrable fortress of security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019