no additional clicks
Its both in the security companies and news sites best interests to pick up on these non-stories. "no additional clicks" - right, maybe to download it. There are always multiple clicks and warnings to be able to install it.
A banking trojan targeting Android users is spreading through malicious ads as part of an ongoing campaign. The scenario by which the malware spreads is all too familiar to long-suffering Windows fans, but may well come as an unpleasant shock to smartphone users. Worse yet, Android users can get infected by the Svpeng Trojan …
There have been silent install bugs, some in the recent past. Even if they are fixed in the latest version of Android, how many phones are out there which don't have it and never will? There doesn't seem to be any information that says whether this malware uses a silent install, but if it doesn't that doesn't mean someone else won't. Combine a few pieces together from different malware and get your "ads" widely distributed and you could root 50 million phones in a weekend! The best thing about this for malware authors is that it is like the Windows XP days all over again, when you could expect that the holes will remain open in a majority of phones for a long time.
So you see, put this (or another Towelroot-like exploit, a KNOWN silent install) together with Quadrooter (many phones out there use Qualcomm SoC) and you've got a very dangerous situation here, especially since the bulk of the vulnerable devices out there are EoL and made by companies out of the reach of any law enforcement who cares.
The screenshot provided makes it obvious that this is not a silent install, but one that requires user interaction to actually run on the phone - if it's allowed at all. It's also doubtful that it has been really distributed through AdSense as a drive-by download, without actually requiring a click on an AdSense ad.
If it was a silent install, then the story should mention which exploit it uses to get around the standard settings of only installing from approved sources (Google Play Store) or signed files.
If it is getting around the standard security, then the article should state this, as this would be a real problem. If it requires the user to turn off the safety features to install the .apk (which they would normally have to do), then it is a bit of a non-story, but the article should warn that users who have deliberately disabled the standard policy to install an app from an unknown source should turn the setting back on afterwards...
The AdSense Network.... and some people wonder why there's adblockers, exclusion lists in HOSTS lists, and No-Script programs... at least in the Windows world.
I don't know if the smartphones "permit" these (HOSTS I think is pretty much Windows turf) but... still, the more tools to block, the better, IMO.
You realize that ads can only infect your computer the same way any web page can, and that if you block ads, malware can still get onto your computer for ex. through the very same page the you blocked the ads on, don't you? You probably also realize that ad server are generally far more secure than Average Joe's webpage, and that because of this, your chances of getting infected by ads are miniscule compared to getting infected by the web page the ads are run on (or any other web page for that matter), don't you?
Your ad blocker protects you from no malware. But it definitely harms small publishers and kills the free and independent internet.
Yeah. No need for ad/script blocking at all. Nope.
Won't someone think of the poor poor small publishers who are too fucking lazy to vet the ad companies that get linked through their site? Without the ability to remotely infect your computers and destroy your data they can't make ends meet. <sob> <sob>
On another note...
...I thought ad-sense WAS android spyware.
Too late to edit the last post...
Here's a guy who's sites I would have no issues visiting. I quote from one of our own here without permission or indeed concern.
>>"If the website operators (and the advertisers) are so concerned about ads being blocked, why don't they just buffer up the ads at the website server and deliver them as part of the main page?"
Started doing that at least 10 years ago - Ads are small and I limit the number of them to keep them non-invasive. They are from direct advertisers who contact me about advertising on my sites. First I check out the company. If I accept it, they produce a graphic and email it to me, I check it and minimize it. Pages don't call scripts - I keep the graphics on the server.<<
Ad networks SHOULD be great.
The problem is they are way to greedy, both the advertisers and the networks.
Only properly identified individuals should be able to send anything else than a static image, and the networks should be legally responsible (in practice, not just theory) for sending malware.
"Your ad blocker protects you from no malware"
Sorry, but you're patently wrong. When the ad is the malware, blocking it protects you from it, period. The fact that there are other means of infecting you "from the same page" does not mean that ad blockers are useless, it means that you need other means of protection. Such as NoScript. Oh, and a functional brain that doesn't let you click on all those attachments promising lewd pics from a link in zip file.
You realize that ads can only infect your computer the same way any web page can, and that if you block ads, malware can still get onto your computer for ex. through the very same page the you blocked the ads on, don't you?
Has anyone ever explained to you how http actually works? Look it up, it may help. If you use an ad blocker, you block the specific queries that download from advertising networks, which means, you do not download malvertising either. Simple.
Personally, I think that advertisers should really start to consider if they want active ads. I'm OK with static ones (well, OK, even that was once enough to breach a Windows box but I suspect they may have fixed that by now), but all this active content means you're downloading the equivalent of an executable but without the vetting you yourself normally do, and as you get a different one served it's like rolling the dice every time you visit that site. It's self evident that the ad networks do not do any checking *at all* on either customers or ads, and personally I think it's time the ad networks are made liable for this - you break it, you fix it or pay for it.
OK we get it, you work for, or profit from advertising agencies.
But here is the fact. If you idiots had simply kept to static ads, this sort of crap would never happened. But oh no, you idiots decide that we wanted full screen, bandwidth hogging. video playing crap shoved down our throats.
You have this insane idea that pissing people off is the best way to reach market....look they ARE clicking ad's, but are to stupid to realise that most times it's accidental, people desperately trying to get rid of the shit being forced upon us.
Don't you muppets realise the most click ads are the most simple (Google & Bing search results), not some 50mb video with some shite music blaring out, all because I had the nerve to scroll down the page.
"Don't you muppets realise the most click ads are the most simple (Google & Bing search results), not some 50mb video with some shite music blaring out, all because I had the nerve to scroll down the page."
They do. They also know they don't get clicked as people get numbed to them. It's been that way for over 100 years, as E. E. Smith even wrote about it in First Lensman, which dates back to WW2. It's hard to get through to a jaded mind, but it's their job.
Though need root access to edit, which makes it a problem for most users (reasons include rooting phone usually voids warranties, it can brick your phone / many users scared off doing it as not the simplest process, lots of software will try & detect rooted phone and if it finds rooted will not run on it, if your phone is a company phone then typically no chance of being allowed to root it etc.)
So on (non root) android only casual user option is installing different browser (I use Firefox on android) & various defensive addins e.g. script / ad blockers, as default chrome on android lacking good defensive addins compared to rival browsers
Well, that's the problem with Android, isn't it. No hosts file, at least not in the sense of something that you, the owner of the device, is able to control. It's seriously bad design. (Deliberately so, one presumes.)
(Disclosure: no axe to grind here, I understand that Apple kit is as bad or worse in this regard.)
I've always said that Google was following Microsoft's earlier playbook to the letter, but to even enable drive-by vulnerabilities in the code is in my opinion going a bit far :).
Well done Google, for producing a *nix version that is sensitive to drive-by infections. It demonstrates just how close they have the interest of their users at heart...
Pretty sure by now android and *nix have about as much in common as MacOS and OS/2.
Not quite. Both OS/2 and OSX are actually quite safe and require far less effort to remain that way (OS/2 mainly because nobody bothers writing malware, but it was quite good to start with).
Just because that web site owner has delegated some content to be delivered by a third party on their behalf does not mean its not their fault.
Take some ownership of your ENTIRE web content delivered from your web site. Maybe a few cases of successfully suing the owners of the website for this 'third-party malvertising' content they are allowing to be pushed onto their customers would make them think twice.
Or more likely not. Most web sites are free to visit, but they require money to run (content has to be built, web servers need to be paid for, connectivity is not free...) so they prop up their revenue with adverts. I see why it's done, but since they make no effort to vet the content, I have no problem blocking the entire lot with a blunt 'No Advert' web browser add-on.
I see where you're coming from, but that will only work if the site owner then goes after the advertising company. The site owner generally only chooses a provider, as far as ads are concerned they are mainly really a carrier with little control over ad content.
The blame lies IMHO squarely by the ad channel such as Google and others - they should vet the stuff they're about to spew to gazillions of sites. I don't buy it that they cannot screen the ads with active content. I think it's more a matter of not WANTING too because that (a) clearly establishes their liability (that they already ought to have but are skirting right now) and (b) most important of all, that would reduce their profits - can't have that, better make money from the criminals too..
The latter I'd call the Western Union approach to managing crime..
Web sites that have adds are not free to visit, just you do not see the cost as it has already been paid for by others. Advertising costs money how is this cost recovered, by adding to the cost of the goods you buy.
The way I look at it visiting sites funded by advertising is getting others to pay for your web browsing.
Personally I would rather have an internet with no advertising and if some sites go to the wall so be it.
"Personally I would rather have an internet with no advertising and if some sites go to the wall so be it."
Even if one of those sites was your one and only favorite hobby site? And before you say another will pop up, why hasn't that happened for Kickass yet?
Until enough web owners are made bankrupt for allowing 3rd parties access to their customers, this will never stop. The ad companies might not like it, but we are long past the point where ads can be delivered without being vetted by somebody who's job is on the line.
* Can no one sue Google over this??? Even M$ was forced to pay out recently... But of course Google owns much more political real-estate now in both the UK & US....
* Always interesting how no one in the mainstream media ever seems to get hit! But that's ok, they've got our backs, right? Always glorying the latest app with zero discussion of the possible downsides...
* Amazed more families haven't simply unplugged. The recent US NTIA census analysis confirms they have too, so WTF??? So many Sheeple are now firmly net addicts its probably too late... What a world!
Biting the hand that feeds IT © 1998–2019