back to article Google Play Store spews malware onto 9 million 'Droids

Malware made it past Google's detection systems and infected some 9 million Android users, analyst Trend Micro has found. Google has removed 85 apps from the Google Play Store as a result. Remote control Google's secret to a healthy phone? Remote-controlling your apps READ MORE The apps, purportedly TV and video players and …

  1. Thoguht Silver badge

    Open an unknown PDF?

    Surely not, might contain malware.

    1. Anonymous Coward
      Anonymous Coward

      Re: Open an unknown PDF?

      Get a proper computer OS then.

      1. Anonymous Coward
        Anonymous Coward

        Re: Open an unknown PDF?

        Seriously??? It's 2019 and people won't open PDF's because they fear malware, and this is acceptable?

        Seriously, ditch any pdf viewer that is open to exploits like that.

        1. big_D Silver badge

          Re: Open an unknown PDF?

          The problem is, if you ditch all PDF viewers that have security problems, you can't open the file, because they all have (differing) security problems. It comes with the territory, PDF was built for a time when security wasn't an issue and executing embedded scripts and Flash wasn't a concern.

          Now PDF is just a liability.

          1. Lomax

            Re: Open an unknown PDF?

            > they all have (differing) security problems

            Evince seems pretty bulletproof: https://security-tracker.debian.org/tracker/source-package/evince

  2. Anonymous Coward
    Anonymous Coward

    Do phones still have an IR port?

    Or users are more gullible than I think?

    An where are all those 5 star votes from?

    Anyway, it does state "Big Fishes"....

    1. malle-herbert Silver badge
      Facepalm

      Re: Or users are more gullible than I think?

      Probably downloaded by the same people who think they can charge their phone by putting it in the microwave for a few minutes...

      1. Anonymous Coward
        Anonymous Coward

        Re: Charge phone with a microwave?

        That's just plain silly. However, my induction stove top works a treat. :)

    2. MiguelC Silver badge

      Re: Do phones still have an IR port?

      According to GSMArena's list, 221 currently available phones have IR transmitters (my own Honor included).

    3. MiguelC Silver badge

      Re: Do phones still have an IR port?

      About those 5 star ratings, they're probably from the same types that give 1 star commenting that they've just installed the app and are going to check it....

      1. ReverandDave

        Re: Do phones still have an IR port?

        Same schmucks that ruin the amazon reviews "Never Received it" 5 stars.

        1. Anonymous Coward
          Anonymous Coward

          Re: Do phones still have an IR port?

          The last time I wanted to give a negative review on ebay (arrived damaged due to inadequate packaging) I was told that I was not allowed to give anything other than 5 stars (or whatever it is) because the seller was a “premium seller”.

          I’ve given up either reading or writing online reviews entirely.

        2. error 13

          Re: Do phones still have an IR port?

          Or answer questions with "don't know"

        3. JimboSmith Silver badge

          Re: Do phones still have an IR port?

          Can't find it now but a product on Amazon had at least a couple of reviews saying:

          "Despite my best efforts it failed to work at all and I returned it for a full refund" (Five Stars)

          "Never worked so I sent it back that day" (Five Stars)

          1. Peter Gathercole Silver badge

            Re: Do phones still have an IR port?

            It's a flaw in the review systems. They should all have separate ratings for not only the quality of the item purchased but also the customer service. This would allow someone to grade it as "1" for the item, but give a "5" for the way the seller responded to the problem.

            1. Cuddles Silver badge

              Re: Do phones still have an IR port?

              "It's a flaw in the review systems. They should all have separate ratings for not only the quality of the item purchased but also the customer service. This would allow someone to grade it as "1" for the item, but give a "5" for the way the seller responded to the problem."

              That's exactly what Amazon do have. Ratings and reviews for goods and vendors are completely separate. The problem is that far too many idiots are apparently unable to understand the difference between the two and insist on putting the wrong reviews in the wrong places. Presumably these are the same people who have the bizarre habit of responding to random questions people have asked about products with the very helpful "I don't know".

              1. TechnicalBen Silver badge
                Trollface

                Re: Do phones still have an IR port?

                I don't know.

        4. Ian Emery Silver badge

          Re: Do phones still have an IR port?

          I ignore Amazon 5 star, read the 1 star for the lols, then concentrate on the 2-4 stars, where the real reviews are.

          Fav 1 star was a woman who thought the mSD slot was a SIM slot and she was getting an ultra cheap Phablet (Galaxy Tab) for her hols.

          1. DropBear Silver badge

            Re: Do phones still have an IR port?

            Except more often than not the mSD and SIM _ARE_ the same slot these days. You get dual SIM _OR_ a SIM and a mSD from the same two sockets. No comment on the device mixup...

    4. Anonymous Coward
      Anonymous Coward

      Re: Do phones still have an IR port?

      For markets like China its very normal, and thus for exported versions. It is only Western markets where this isn't seen as pretty normal.

      Our household fleet of various different Xiaomi devices all have IR "blasters". But the sensible way to set them up is not to download dodgy crapps, just to use the makers suggestion of running through trial and error of known and preloaded control protocols for the maker of the device you want to control.

      1. ibmalone Silver badge

        Re: Do phones still have an IR port?

        Our household fleet of various different Xiaomi devices all have IR "blasters". But the sensible way to set them up is not to download dodgy crapps, just to use the makers suggestion of running through trial and error of known and preloaded control protocols for the maker of the device you want to control.

        If only. My last phone (Samsung) had an IR controller, which was very convenient, it came with a bundled, but non-samsung app to use it. Eventually this grew more and more cruft (EPGs and things, needing to select location just to use it) and added adverts. I did investigate other options, but the ones that looked fairly legitimate either didn't work or were worse in terms of adverts.

        Edit: oh and there was another class of controller apps, which were for something else (possibly smart tvs? it was a couple of years ago), telling which was which from the descriptions took a little work usually.

    5. Anonymous Coward
      Anonymous Coward

      Re: Do phones still have an IR port?

      There's still a lot of people out there confused by the rapid progress of technology. You only have to deal with a few tech quesitons from your relatives to get a quick survey of what the average person knows about the inner workings of tech. It's frightening how blase some people are, it's not funny at all, it's damned scary that tech can ruin lives and people show it no respect.

      We live, eat and breathe tech on a daily basis, we're barely able to keep up with it but we try to keep an eye on the important stuff. Now imagine the average person who has a ton of other responsibilities like home and family to keep an eye on. They deserve tech that's simple and safe and our duty, if you like, as techies to help the average person keep up with the pace, we shouldn't stand there mocking them when tech isn't their thing. When I need some building work doing, I expect someone to come in and give me an honest opinion about the work I want and hopefully and honest price, I do my best to understand and try to find a good builder but I'm trained in brick laying, plastering, etc, so I have trust word of mouth from friends about a good builder and hope he won't rip me off and it will fall down next month.

      1. Anonymous Coward
        Anonymous Coward

        Re: Do phones still have an IR port?

        I completely agree with you. When I need something done, and don't know how to do it, I seek out a professional and hire them for the job. What you sometimes run into when giving tech advise is the "my buddy" problem; friend, acquaintance, co-worker "knows a lot about" tech (when the best they've ever done is plug in their PS4) and the person you're trying to help follows their advice instead of yours.

        Real life case :

        At the time I had 20+ years of high-end IT experience. Youngest brother comes to me; "I want to buy a computer, what should I get?" I ask a few questions and make a recommendation. A couple of weeks later he calls back and tells me he bought his computer. Great, what model did you get? X, Y, or Z? He had a friend tell him the computer I recommended was too expensive and that he should buy this cheap, crap, $300 PC clone he saw at Bill 'n Ted's PC Shoppe, Body and Fender Repair. He then proceeds to tell me how great, fast, etc it is.

        Fast forward several months. He's installed a bunch of junk on it and the thing is having issues. It's also out of warranty. He comes to me for help. I hand him a copy of "PC Repair For Dummies" and tell him he should have listened to me in the first place. It was difficult, but, he learned.

        Sometimes this kind of thing needs to be painful. Drives home the lesson.

        1. Patrician
          Happy

          Re: Do phones still have an IR port?

          "Sometimes this kind of thing needs to be painful. Drives home the lesson"

          I call it "stupidity tax"

    6. big_D Silver badge

      Re: Do phones still have an IR port?

      3 of my last 4 phones had IR.

      Both of my current Hauwei phones come with IR transmitters and built in remote software.

    7. CrazyOldCatMan Silver badge

      Re: Do phones still have an IR port?

      Some do - my current (Honor 10) has an IR emitter to control TVs and set-top boxes..

    8. Anonymous Coward
      Anonymous Coward

      Re: Do phones still have an IR port?

      Huawei Mate 20 Pro does and it works quite fine but any phone with an IR will probably have it's own app for using it.

  3. Howard Hanek Bronze badge
    Happy

    Right. Sure. Whatever.

    ....I make $1500 a week from my home using Google.......My phone tells me that all the time.

    1. Ragarath

      Re: Right. Sure. Whatever.

      Did you download an app for that?

    2. Phil O'Sophical Silver badge
      Happy

      Re: Right. Sure. Whatever.

      I make $1500 a week from my home using Google

      but who for...?

      1. elDog Silver badge

        Re: Right. Sure. Whatever.

        Word police here. "but who for...??

        Do you remember Hemingway's novel "For Who the Bell Tolls?"

        1. Anonymous Coward
          Anonymous Coward

          Re: Right. Sure. Whatever.

          Wouldn't that be "the Bell Tolls for Who?"

          Presume you watched the recent series of "Doctor Whom".

  4. Anonymous Coward
    Anonymous Coward

    wait a sec

    So the app gives fake ad views. That should eventually:

    A) pollute the dataset that the ad networks use to build up profiles of users

    B) negatively impact the business model of the ad networks.

    If there's no negative impact on the user (phone stability, mobile data use, premium SMS charges), is this really a negative for the end user? I may need to install the apps and give them a 5-star rating!

    1. jaduncan

      Re: wait a sec

      Yeah, the ongoing risk that they'll find an 0-day to root your phone with. You know that the app makers are scum already, there's absolutely no chance they are above malicious code.

    2. Anonymous Coward
      Anonymous Coward

      Re: wait a sec

      Yes, you're right.

      It would be a good idea if someone could come up with an application that would heavily pollute the data the Internet behemoths are slurping. Like for example continuously giving random location data proving you're in two different places at the same time, repeating every two minutes "Hey Alexa/Google/Siri" followed by talk from some TV or radio station (preferably in foreign languages).

      There must be a innovative way we can fight back.

      1. Charles 9 Silver badge

        Re: wait a sec

        And if they fight back the fighting back with better fake detection? What next? A fake vouch that can pass the Turing Test?

  5. Tom 35 Silver badge

    Is it malware, or crapware

    Didn't work as advertised, showed lots of ads. Where is the mal?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it malware, or crapware

      Oh, that's right, there is NO SUCH THING as malware on Android, just PUPs.

      How's things at the Chocolate Factory BTW?

    2. Anonymous Coward
      Anonymous Coward

      Re: Is it malware, or crapware

      "Didn't work as advertised, showed lots of ads. Where is the mal?"

      By your (flawed) logic, these 8 indictments should be overturned:

      https://thehackernews.com/2018/11/3ve-ad-fraud-google.html

      Perhaps if those 8 individuals would have just created some bogus apps on the Google Play Store they would still be in business?

      After all, the fake browser update that used PowerShell to create a fileless rootkit to serve up hidden ads that caused my siblings Dell XPS to grind to a halt fits your description to a tee:

      "Didn't work as advertised, showed lots of ads."

    3. Shadow Systems Silver badge

      Re: Is it malware, or crapware

      "Didn't work as advertised, showed lots of ads."

      You've just described Windows 10! =-D

    4. Anonymous Coward
      FAIL

      Re: Is it malware, or crapware

      The idiot writer clearly doesn't know the difference and just carries on embarrassing himself in public.

      I find it hillarious how this guy still has a job writing tech shite like this.

      The only person that has a script created to filter out his rancid spew. (Since 2011)

      https://slated.org/bullshit_blocker

  6. Anonymous Coward
    Anonymous Coward

    "Trend Micro has found"

    Wasn't Trend Micro's apps pulled from the Apple Store recently?

    https://www.theregister.co.uk/2018/09/10/trend_micro_apple_macos/

    Users should also be aware that many apps contain trackers and analytics from Facebook.

    https://reports.exodus-privacy.eu.org/en/reports/51994/

    1. Anonymous Coward
      Anonymous Coward

      Re: "Trend Micro has found"

      Any app that starts with "Login via Facebook", is a good sign you are about to be used.

      1. Number6

        Re: "Trend Micro has found"

        ...is a good sign that the app is about to be uninstalled pronto.

  7. Version 1.0 Silver badge
    Unhappy

    Ads = $$$ somewhere?

    It seems like the Internet is stuffed to the gills with fake advertisement views - corporations are paying for them, Google is taking a cut as the money flows past and the app thieves are making a steady income... no reason for Google to be too worried then is there?

  8. Ian Joyner

    Good article

    I'll give Register some credit for once. An article that just states the facts, no editorial.

    Now if it were an Apple story you could guarantee much editorial on how Apple is evil and anyone who buys Apple an idiot, followed by much trolling and vitriol (vitroll, I just made that word up!) in comments.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good article

      Facts? Are you for real??

  9. Anonymous Coward
    Anonymous Coward

    Awww bless

    Someone doesn't know the difference between malware and adware...

    Cretin

    1. sinsi

      Re: Awww bless

      According to Malwarebytes

      Adware is a form of malware

      1. Anonymous Coward
        Anonymous Coward

        Re: Awww bless

        Then they are just as bad. What is malicious about showing unwanted ads? It's annoying, but it's not malicious. Anyone saying otherwise is a clickbaiter and can't be trusted.

        malicious

        /məˈlɪʃəs/Submit

        adjective

        adjective: malicious

        characterized by malice; intending or intended to do harm.

        "he was found guilty of malicious damage"

        synonyms: spiteful, malevolent, hostile, bitter, venomous, poisonous, evil-intentioned, ill-natured, evil, baleful, vindictive, vengeful, vitriolic, rancorous, malign, malignant, pernicious, mean, nasty, harmful, hurtful, mischievous, destructive, wounding, cruel, unkind, defamatory; More

        informalbitchy, catty;

        literarymalefic, maleficent

        "he bore their malicious insults with dignity"

        antonyms: benevolent

        1. cbars

          Re: Awww bless

          I'm not usually convinced by a dictionary quote, so I will bite.

          Ads can be an attack surface and therefore they make you vulnerable. Generally as a society we agree that forcing people into vulnerable situations is not ok, and you could argue that the act of forcefully increasing vulnerability is actually harm in itself.

          Another argument might be that the app authors intended to serve ads, which take up system resources - thereby depriving the phone user of something. Being deprived of something is harmful, which is why we require consent for things to be taken, and call it theft otherwise.

        2. John Brown (no body) Silver badge

          Re: Awww bless

          "What is malicious about showing unwanted ads?"

          It's using up your data allowance by doing phantom clicks on ads and in some cases, carry on doing so in the background even when you think you've closed the app, which is using up your CPU cycles and probably slowing down your phone.

          1. Mephistro Silver badge

            Re: Awww bless

            And don't forget "killing the battery".

    2. Anonymous Coward
      Anonymous Coward

      Re: Awww bless

      Yawn, next you'll be saying on every article. "They aren't hackers they are crackers - hackers are 1960s beardy types who manipulate software to find out how it works".

      Well terms get genericised and changed over time. An app that promises to do xyz but in reality does nothing of the sort, just loads up click-frauds through as many ads as possible and then keels over is clearly only intended to deceive. Therefore a generic term of malware could apply.

  10. Anonymous Coward
    Anonymous Coward

    Interesting

    At least one of the apps mentioned (TV Remote) uses Google's own AdMob and Facebook for serving up the ads.

    The app pulls a plain text file from an unencrypted HTTP content delivery network that contains the relevant ID's for AdMob and FB.

    And as always, Facebook's Graph API includes "Places" for: speed, heading, altitude, latitude, longitude, signal strength, MAC address, WIFI ssid and Bluetooth.

    But the app itself doesn't do anything remotely as advertised.

    (See what I did there?)

  11. Mike 137

    Consistently?

    "The apps, [..] would consistently show full-screen ads until they crashed"

    Does the author mean "always in the same way" (consistently) or continuously?

    They're not the same thing.

  12. AbortRetryFail
    Joke

    Obligatory xkcd

    https://xkcd.com/937/

  13. Anonymous Coward
    Anonymous Coward

    Google still poops on you

    They still serve more malware than anyone else

    They NEVER send you an Email informing you they removed a Malicious app you downloaded (must have valid email to download)

    No company in the world gets away with that like google. It's like they are part of the government and can do anything they want.

    If one AV company did that even for a day, they would be out of business. But google, ohh they can't be bothered by peoples concerns, there to much data to harvest and money to be made.

  14. sisk Silver badge

    High proportion of negative reviews

    Um....that thing has an overall 4 star rating. What criteria are you using to define "high proportion of negative reviews"? I mean, yeah, it's got a lot of 1-star reviews, but not enough to drag the rating down significantly. Granted that's because of 100k almost-certainly-bot-generated 5-star reviews, but still most people are just going to look at the overall rating, not the individual reviews.

  15. Kevin McMurtrie Silver badge

    Google ratings

    I've never understood Google's app ratings. There can be page after page of 1-star reviews, the app literally doesn't launch, and it will show 3.5 stars.

    1. Barry Rueger Silver badge

      Re: Google ratings

      I'll second that. I truly dread trying to find an (non-corporate branded) app for any use. The ratings are utterly useless, so I'm left to play download, install, try, remove, repeat.

      I would pay for an app store that had all products tested and certified useful.

    2. Anonymous Coward
      Anonymous Coward

      Re: Google ratings

      the page after page of 1* reviews are pushed down by page after page of click-farmed 5* ratings... most anonymous, a few with similar comments in fractured English and all with similar timestamps

    3. sisk Silver badge

      Re: Google ratings

      The process is quite simple to understand. They take an average of all reviews and assign that as the rating. The problem with that approach is that 5-star reviews by the thousand are available for purchase from unscrupulous sorts with access to botnets and distort the ratings significantly.

  16. Anonymous Coward
    Anonymous Coward

    Annnd it looks like TCL/Alcatel has (finally) been called out for the same

    Disgruntled Alcatel owners have been sounding the alarm about Alcatel's shady built-in applications for a long time but our complaints have fallen on deaf ears.

    It's about time Alcatel's dodgy apps are finally getting some attention from the media other than just angry users on Android message boards looking for ways to delete/disable this data sucking bloatware.

    https://www.upstreamsystems.com/secure-d-uncovers-pre-installed-malware-alcatel-android-smartphones-manufactured-tcl/

  17. Patrician

    The Google Play Store did't actually "spew" malware to phones/tablets; users downloaded and installed it themselves. It wasn't something forced on users was it?

    1. Jimmy2Cows

      Clickbait. This is el Reg after all. Clickbait which worked exactly as intended, since you're here commenting on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019