back to article Android malware attacks show perils of Google openness

This week's discovery of malware that hijacked tens of thousands of Android cellphones shows the pitfalls of Google's decision to make the operating system the Wikipedia of mobile platforms that offers apps written by virtually anyone. A couple years ago, the choice helped the OS gain traction against Apple's more entrenched …

COMMENTS

This topic is closed for new posts.
  1. Mike Green
    Pirate

    VIrus/malware checkers

    So are there no virus checkers/malware shields available on android? I would have thought the AVG et al would be jumping into this new market...

    1. Anonymous Coward
      Anonymous Coward

      RE: VIrus/malware checkers

      AVG is available on Android, as I believe are a couple of others.

      I think the article was more about the lack of vetting controls of Apps before they are published rather than the issue of AV/Malware checking after they are published.

    2. annodomini2
      FAIL

      #Error: Titles lead to misrepresentation

      AVG is already on the android market

    3. frank ly

      Yes there are and yes they are

      I downloaded the free AVG antivirus app from the Android Market after reading a review of three different ones. Try typing 'Android antivirus' into a search engine.

  2. Anonymous Coward
    Anonymous Coward

    Openness

    If his is the cost of "OPENNESS" than so be it! Otherwise there is no Liberty and Justice for all.

    1. bazza Silver badge

      @AC, Openness

      Yeah right*. Try telling that to the non-technical majority who don't know what you're on about but do worry that their bank details might have been compromised and their accounts emptied.

      Openness is fine so long as there's a quick way to propogate updates. Google forgot that part completely. As Android currently stands virus writers can have a field day because it takes far too long (if it ever happens at all) for customer's handsets to get updated.

      *apologies if you were being ironic...

      1. Anonymous Coward
        Anonymous Coward

        RE: @AC, Openness

        Umm, there is a quick way to update Android phones, and Google have done several times since I have had mine.

        I don't think this is so much an issue of patching exploits, although that is something thats needs to happen on any plaform. But, with Google, it's the fact there are no controls or vetting on what an developer may publish or much in the way of controls on that App once published.

        This then allows Developers to use valid functionaility of Android for dubious purposes. In much the same way for example, I could write a Windows app to plug into Outlook and send all the users contacts back to a website - it's not using any exploit other than user trust in that application.

        With windows now however, there are now a host of controls in place that would alert the user something is not right. So for example, Outlook would flash up that the app is trying to access my contacts and the firewall will alert me that the app is trying to make an external connection. If that app was not meant to have anything to do with that, I would be concerned and click no. And indeed such an app would be quickly marked as malware and picked up by AV programs.

        With Apple, that app would never make it to market in the first place.

        With Google, it would, and once the users has clicked 'Accept' before install, that app is free to do what it wants. Plus AV is in it's infancy and rarely used.

        I for example, I am very dubious of many applications - why for example do so many games need access to my address book and call history for example? They don't, but my wife will happy click Accept to install them without even noticing this. User trust duly exploited and no further controls in the way!

        1. Basic
          Go

          Damn You

          I'm pretty stoically pro-android (to be more precise, I'm Anti-apple and a bit "meh" re: WinPhone7)

          That said, much as I'd like to disagree, those are all very valid points and I congratulate you for a sensible, balanced comment.

          Perhaps the real compromise would be: Start vetting the app store but leave the "Can install from untrusted source option". That way, if I want to go and install Dodgyware(TM), I can do so - but only after I've made an explicit decision to accept risk.

          I also feel compelled to point out that even though a vetting process improves security, it doesn't guarantee it - so I think all the app stores (Android/Apple/WP7) are giving a false sense of security to greater or lesser degrees

      2. L1feless
        Paris Hilton

        what?

        Clearly we have all forgotten that there was a similar issue with the Apple app store. This issue will exist regardless of the ecosystem in which the platforms attempt to foster. If someone wishes to be malicious they will be, it is just that simple. As with any new system it will take time for vendors and applications to gain traction and for reputation or companies and developers to build.

        I will however agree with you on the updates. Androids biggest issue here is the lag time between vendors redoing versions to fit their own customizations and the updates which are required in core. That element of the Android operating system needs to be seriously modified.

        Paris because she knows a thing or two about taking precautions to avoid infections.

        1. Ammaross Danan
          Terminator

          Agreed

          Simple way to sneak a malicious app into the Apple Store: have it wait 30 days or so before it starts behaving maliciously. Will give the "legit app" part of the app time enough to be vetted, and also obscure which installed app caused the infection.

          I agree with the Android fragmentation view. The one thing iOS has going for it is the enforced updates to the latest version (at least until the 3G and less got booted out, but that's likely due to handset capabilities and thus understandable). Honestly, since handset makers practically abandon their models after a month, there should be a "defaults to Google" function in there that allows Google to push over-the-air updates for these abandoned phones.

          /Terminator, for lack of an Android icon.

  3. StevenN

    Heavy handed or curated?

    The heavy-handed control of the App Store is not to the consumer but to the programmers. Apple puts specific limits on programming techniques used (no hidden APIs for example) on programs submitted tot he App Store. They also put some odd limits of content (no SouthPark? Seriously?) but in all, the over-whelming majority of content is available to the users of the platform. Likewise, you do not get the feeling of shopping in back alley ways in seedy parts of town. Copyright infringement that is rampant within the Market Place is almost non-existant on the App Store.

    Not bad for being just 4 months older than the Market Place. 2X the Apps. 17X the revenue to developers. 3X the download rates. There are many different browsers in the App Store. Different music sources. NetFlix and Hulu both that are unworkable in Android due to their reliance on Flash.

    1. Bilgepipe
      Thumb Up

      Curated, any time

      StevenN hit the nail on the head, as demonstrated by the number of downvotes. I'll take the curated App Store over the shambolic Market any day.

      1. Kirbini
        Coat

        How does your light shine...

        ...on the road to Sham-ba-la?

        Sorry, couldn't help it. I'll be going now.

    2. Rob Dobs
      Unhappy

      No SouthPark

      Because they are Nazi's that can't take any criticism.

      I wonder how many other apple Critics are banned from their marketplace?

      Futurama sure portrayed the evil of Apple and the lemming nature of their customers well....

  4. Anonymous Coward
    Flame

    idiots are the bigger problem

    People have a device that contains some of their most sensitive data and important info and then they install apps without ever checking permissions. The lack of judgement is the bigger issue. It's like the guy who complains his PC got hacked and lost his personal info and pictures after trying to download warez/porn.

    No one promised Android or iOS would be malware free, so people need to actually use their brain.

    /rant

    1. Gordon 10

      So badly wrong

      More so even than their PC people expect their phones to just work. If Android has any expectation of long term success google need to get a handle on this malware problem quickly.

      Imagine the legitimate fear either MS or Apple or just public perception could generate if this problem becomes common place on Android.

      You should not need anything more than basic web common sense to safely use a smartphone.

      It is not the same situation as PC's by a long way.

    2. Anonymous Coward
      Anonymous Coward

      Most people aren't security experts

      We're not talking about someone browsing into dodgy websites and downloading stuff they know should full well should be payed for.

      This is customers going to a legitimate, advertised marketplace, run by a large, respected company, finding products that look authentic in *every* respect, and purchasing/downloading from a source they perceive to be on the level. You call these people 'idiots', but how are they to know? It's run by Google. It's sitting on the shelf next to a host of genuine products. There is nothing that would provide a hint that the software is shady.

      These trojans would have run for much longer except for the fact that someone with real expertise became suspicious and was able to confirm the problem. There are very few people who can do that. It isn't fair to shift the blame onto the vast majority who do not have this expertise. This problem is endemic to the Google Market - if they continue to allow it to run like this, a lot of people will get burnt. It's a sitting duck.

      1. 2cent

        When traveling abroad.

        This situation is analogous to some who lives in a secure country.

        They decide to travel somewhere unknown.

        They visit a place during the day that is beautiful and pleasant.

        That night they return only to find, after dark, it not a good place to be.

        Exploration outside a secure environment will never be absolutely safe.

        As as it turns out to be, even in a perceived secure environment, IE Windows, stuff happens.

        Google should just write the code that watches a "clean room/honeypot" phone with each program before it is accepted for each application.

        Not a fun job, but worth their time.

    3. Anonymous Coward
      Anonymous Coward

      @Rolandct

      How can you really blame the users on this? The mobile app market is such that when you want an app - you go to the appropriate marketplace and download the app(s) you want. Hate Apple or despise Apple, the iTunes model is the one that normal people want.

      Google are the ones completely to blame here - it is analogous to the FSA "approving" a loan firm simply on receipt of £25 and then you blaming the punters who went for an FSA approved loans company and ended up with 20000% apr from Honest Tony's MafiaLoans company. Google should either vet the apps they approve or refuse to approve apps and make it clear that have done so.

      Remember, this is not about people downloading android apps from nakedbrittney.ru this is about people buying apps from the official phone OS manufacturer's marketplace: as seen from the article where it clearly states: "The recent discovery of some 55 malware-tainted apps available in the Android Market "

    4. DZ-Jay

      @Rolandct

      Did you miss the part about the malware masquerading as legitimate applications? The authors took some real applications that people have been purchasing or downloading, re-packaged them with the trojan, and deployed them to the market place posing as the originals.

      The users didn't necessarily lack judgement in installing apps "without ever checking permissions," they perhaps gave acceptable permissions for the app they *thought* they had downloaded.

      I agree with you that users should exercise caution when browsing the open Web, and especially when downloading files from shady sites. However, in this case, the article is implying that the users had no reasonable way of knowing.

      -dZ.

      1. Tom 13

        Most of the early malware on PCs masqueraded as legitimate applications.

        We're not talking drive by malware on smartphones yet. The day will come, and the iPhone will be just as hacked as the rest of them are when it does.

    5. Tom 38

      @Rolandct

      Actually, His Stevieness has long stated that the reason for the purpose for the walled garden is to stop this kind of problem.

    6. pan2008

      fail

      Or use the App Store or Windows Phone or Blackberry markets that actually vet developers and you can't upload any rubbish you want. When you go to the official market store and download an app you expect not to steal your details at least. This is not like some pc virus and you can't afford to have an antivirus running on a mobile!

  5. Anonymous Coward
    Anonymous Coward

    It is not the openness that is to blame here...

    The openness as in Open Source is not to blame here. By this the author of this article are completely wrong and/or misinformed. Although that Android have a linux core, in essence the OS is very little as linux. Android contains mainly of Java. It's aspiration to be as userfriendly as possible are the problem. It is more similar to windows in that aspect. And that is what's to blame!

    On a normal linux system the virus would need to ask the user for a password. And do that everytime it would like to do something.. like change a file in the root system.

    I am not saying that linux is free of viruses.. it is not. It has a couple of them. It is just a lot more difficult to make a virus for the linux system. Especially a virus that can hurt. A virus might be able to change one file or so.. but after that the system would stop it. Let alone spread to someone els. Of course if the user don't do anything stupid will say.

    I am not sure but believe a more linux like system as the Meego one might be a safer bet. It is also more Open Sourced than Android is.

    1. Ebeneser

      no java here

      Android apps compile to davlik byte code and are executed on a 'linux' system. Java is just the starting language, android doesn't contain a java runtime.

      If I'm reading the article correctly we're talking about root exploits - which wouldn't requires passwords. Typically they require patches to fix, and provided they aren't day0 then one would imagine it should be possible to scan for attack signatures...

    2. DZ-Jay

      @AC

      Oh, chill out, man. Nobody mentioned Open Source. The article doesn't even capitalize the word "open" to give it special meaning. It is not even talking about Linux nor any issue inherent in the software. It refers to the "openness" of the shop's *ecosystem* itself: a market place where anybody can sell anything, without artificial constraints such as a centralized curating body.

      Jeez! Take that chip off your shoulder and try to to follow context.

      -dZ.

      1. alwarming
        Thumb Up

        @DZ-jay

        > Jeez! Take that chip off your shoulder and try to to follow context.

        Loved it!

  6. Nuno

    Certification

    Google should start a certification program, where developers would pay a fee to see their apps reviewed and certified as "not malware".

    People would still be able to install whatever app they choose, but if it is not certified, they would know that they are on their own.

  7. Anonymous Coward
    Anonymous Coward

    Timely

    >“The openness of the platform..... [etc] Vanja Svajcer wrote on Sophos's Naked Security blog.

    And just a couple of weeks after they announced Sophos Mobile Control­ for Android.

  8. mike_anderson25
    Pint

    Life worth living?

    I'd rather peruse in Google's proverbial New York city rather than Jobs' solitary confinement complete with straight jacket.

    It's Friday, I want a beer.

    1. Gordon 10

      Yes but..

      Posters on the Reg are not representative of the general public.

      In genral most would rather to a mall than a fleamarket.

    2. podster

      That would be NYC at night

      Bad things can happen at night.

  9. wathend
    Alert

    It was only a matter of time

    I was wondering how long it would take for this to start happening.

    Sure Android is open and fun but for businesses and serious users who do banking and most other things on their phones these days the Apple App Store is the safest as far as Im concerned.

    1. Gordon 10

      He has a point

      Lot of fanboi's on the down vote.

      Truth hurts.

    2. bazza Silver badge
      Thumb Up

      @wathend

      Yes, I agree completely with you. It was indeed only a matter of time. Google's naivety has been truly staggering.

      Open source 'works' because anyone can review code, find bugs and issue fixes which people can adopt. By that mechanism problems are found, dealt with, and everything improves surprisingly quickly.

      The bit Google forgot about was the "fix adoption" part. The likelihood of the latest Android updates actually being rolled out to user's mobiles by networks is effectively nill. If they do roll out an update it's nearly always months behind the release date, during which time the virus writers have had a field day. And there will always be vulnerabilities in the latest version. People are buying phones probably with security bugs in them knowing that they will almost certainly never get fixed during the two year contract they've just signed up to (or whatever).

      Updates are a necessity that Apple, Microsoft, RIM and Nokia have recognised. Microsoft's less than perfect update the other day certainly tarnished their reputation, and they need to get the next one very right indeed. Apple have the occassional update woopsie, but then again product faults in the Apple market seem to make no difference anyway.

      The reporter wrote:

      "The episode demonstrates the ugly predicament confronting consumers of smartphone apps..."

      and then completely failed to mention BlackBerry. RIM are becoming interesting - very much a closed shop (it's all theirs), there's the BlackBerry World App Store, and a robust reputation for security. Dismissed by many as a businessman's phone with nothing exciting at all, it is often forgotten about. Yet the Torch is getting pretty good reviews, there's quite a lot of apps for it, etc. I got one only after stumbling across it whilst shopping round. It's close to being a complete Apple alternative without Apple's restrictive zeal, but without the problems of Android and Microsoft. If you can't stand Apple then it's almost the perfect phone.

      Getting back to this Android virus problem. I wonder how much trouble there's going to be for the manufacturers that have backed Android as their only option? This sort of problem could be a company killer if the world population suddenly decides they don't want Android at all. For Windows desktop MS had a monopoly (in effect) which bought them time to get serious about improving Window's security. Google doesn't have that luxury - people can and probably will stop buying it just like that if it gets a bad reputation.

    3. M Gale

      As evidenced by the flashlight-cum-tethering app...

      Apple don't do a complete code audit of every app in their store. What's to stop a similarly spiked app with a rootkit on board making it in? Only one hardware platform to figure out how to root, too.

      Well, unless it gets banned for not having a convincingly wet sound to the farts available, or something.

    4. Anonymous Coward
      Anonymous Coward

      Anything you carry around

      that is likely to be used in full view of muggers as you walk down street - is it really safe to do banking etc. irrespective of software used?

      Personally I suspect one of the major problems is people install too many things they'd never use after 5 mins - like rubbish cover disks were a major issue for Dos/Windows back in 90s

    5. Anonymous Coward
      Anonymous Coward

      Wow

      I don't want you anywhere near my network if that's your attitude to security.

    6. stewski
      Thumb Down

      iPhone with the giant pdf jailbreak?

      Oh yes that'll be apples secure ecosystem that allowed iPhones in physical apple stores to be jailbroken (root code exploit) by visiting a simple website?

      -

      As for other "secure" and "business" phones anecdotally Ive only ever seen one smartphone dead by virus and that was a blackberry, what evidence is there that proportionally Apple and RIM arent offering less secure ecosystems?

  10. Charlie Clark Silver badge
    FAIL

    Open testing required

    Android can probably make a virtue out of this by implementing some kind of testing infrastructure that checks applications automatically. An open process should allow best practice to be implemented quickly. We can only guess that Apple tests as much for non-Apple backdoors as they do for unsuitable content or stuff the just don't like.

  11. GatesFanbois
    Pint

    Security is the users responsibility

    If you go around installing software from an unknown developer, with no antimalware software and a pile of personal information stored in the device you deserve your infected phone.

    Seriously if you are expecting your phone's OS to defend it against yourself then you really shouldn't have your phone.

    Anyway is it time to goto the pub yet???

  12. Anonymous Coward
    Anonymous Coward

    A very peculiar analysis indeed

    "...the Wikipedia of mobile platforms that offers apps written by virtually anyone".

    So you think Windows would be more secure and reliable if only a few selected providers were allowed to write apps for it?

    Hasn't it occurred to you that it's Windows itself that is radically insecure and unstable?

    (Incidentally, I have found Wikipedia to be a pretty reliable source in general, and what's more one that supplies far, far more useful information than any other readily-available single source).

    1. DZ-Jay

      @Tom Welsh

      I'm curious regarding your comments on Wikipedia. Whenever I need to consult an encyclopaedia, it is to research information for topics I'm either unfamiliar with, or not fully experienced on. How would I know if an article in Wikipedia is accurate if by definition I am not qualified to make this assessment?

      On the other hand, if I am knowledgeable on a particular topic, I could accurately determine and gauge the validity of the content; but then, why am I looking it up on Wikipedia if I'm already an authority on it?

      It's an honest question, not an attempt to troll. This goes to the root of my trepidation of using Wikipedia for anything else than trivia look-ups.

      -dZ.

      1. Shakje
        Thumb Up

        @dZ

        Quite often I feel you're just trolling or strongly disagree with you, but I generally agree with everything you've said in this thread.

        For Wikipedia you should just treat it like any other source and judge it on its relative merits. When we were kids we used to just accept everything in books, but most of us (I'd guess that this would be more true of people in professional jobs and, naturally, academia) now realise that books tell big fat lies some of the time, and quote hearsay a lot of the time. Realistically any book which suggests it is in any way factual, or Wikipedia, should be judged on the quality of its references and not on suspicion about whether the article is legitimate or not, or perceived authority. If I am actually trying to learn something on Wikipedia there are some things which really don't need to be checked up on (maths is a particularly obvious one) and some topics where it's important to check the references and make sure they're legitimate and say what the article author is saying they do.

        Of course, this doesn't matter if you're just bored and browsing information, because people don't tend to lie about the mundane stuff.

        "Whenever I need to consult an encyclopaedia, it is to research information for topics I'm either unfamiliar with, or not fully experienced on. How would I know if an article in Wikipedia is accurate if by definition I am not qualified to make this assessment?"

        The real question is, how do you know if an article in anything is accurate? Then just apply the same techniques to Wikipedia. Here's something fun, Wikipedia submitted errors in the EB, how do you assess their validity?

        http://en.wikipedia.org/wiki/Wikipedia:Errors_in_the_Encyclop%C3%A6dia_Britannica_that_have_been_corrected_in_Wikipedia

      2. stewski

        replace wikipedia with encyclopaedia Britannica

        Erm if you replace wikipedia with encyclopaedia Britannica in your comment what changes?

        1. DZ-Jay

          @stewski

          >> "Erm if you replace wikipedia with encyclopaedia Britannica in your comment what changes?"

          I know that this is the standard retort, but consider that Britannica, as a private corporation intent on making profits and surviving, has it on its best interest to hire subject matter experts with sufficient experience. In fact, historically it has been trusted to do so.

          Wikipedia on the other hand, has little barrier to entry. Yes, subject matter experts can write an article, but so can any ol' Tom, Dick and Harry off the Interwebz.

          It is ultimately a matter of public trust, of course; and I will posit that trust is rarely engendered by lowering or even removing the barriers to participation.

          -dZ.

  13. KKaria
    Coat

    What does openness mean to you?

    The discussion on whether open is good or bad is irrelevant. The problem is that the masses have lost the ability to think for themselves. If we take this as a differenciator we find that those people who would rather want the manufactorer of their mobile device to be in control are simply giving up their ability to make decisions by trusting who they consider an "expert".

    On the flip side it is not easy to know who to trust. If someone can convince the masses that they have built a application store that can be trusted (good marketing always wins the masses for reference check the status of the food industry) then that individual / organization can take control of user's free choice.

    What we are likely to see here is "safe" markets appear for android. Which means that organizations will create processes where they vet apps and certify them as fit for purpose or "safe". I say that in quotes because you can never really be 100% safe. There are always updates, glitches and bugs to deal with. How do you think the iPhone got jail broken. All it requires is that a user trust an app they downloaded and it can replace the OS on the device!

    Bottom line is that if you try to make something fool proof you just end up making better fools. This is an old quote and people should be pretty familiar with it. I personally prefer openness. I like choice. What Android means to me is that I have a choice on which hardware I want (small screen or large? real keyboard or virtual? SD cards or no extra storage, flash or no flash, etc.....)

    I also get a choice on who I trust to write software for me.

    If I use my device for business / productivity then I would not download and install fart apps willy nilly. I have to have some sense. Therefore when the previous poster @wathend says:

    "Sure Android is open and fun but for businesses and serious users who do banking and most other things on their phones these days the Apple App Store is the safest as far as Im concerned."

    I feel that the point is being missed. If you need safety and you have sensitive data on your device then BE CAREFULL AND DON'T DO ANYTHING RISKY.

    I have a daughter and I am very careful on making sure the environment she lives in. I don't control what she does, I make sure that the things around her are safe for her to deal with. This is the mentality most users of computers have not entered where they are the children and the software/hardware manufacturers are parents. Get over it. If you are an adult then take adult decisions on what to do. Learn to understand what trust is, how to build it / give it to others.

    Disclaimer: I have an iPhone 3G but I will not be upgrading. I am also a developer and have been developing for over 10 years.

    Here is a quote:

    Any fool can make a rule, and any fool will mind it.

    Henry David Thoreau

    Source: http://www.brainyquote.com/quotes/keywords/fool.html#ixzz1FcYTWBvl

    1. Nic 3

      I don't agree

      Your lofty quotations miss the point in my opinion. We are not talking about government we are talking about a sodding mobile device. Most users don't know the first thing about software and won't know what constitutes a safe software source. Most are not that discerning not because they are fools but because their knowledge lies elsewhere.

      You may not be a structural engineer but you probably bought a house. Was that irresponsible of you or did you trust experts?

      Vetted software stores are a good idea (not perfect I know) and the walled garden approach is extremely suitable for most users.

  14. This post has been deleted by its author

    1. stewski

      What firewall?

      I'm not sure what firewall you are on about, has ubuntu changed and started running a bundle of crazy network aware services on install and putting up an inadequate software firewall, oh wait no thats the other peoples OS...

  15. Anonymous Coward
    Anonymous Coward

    Curated Market

    Google shouldn't go down the Apple curated route, but I'm sure they have the ability to auto-scan every app submitted for viruses and to repeat that scan every couple of days or so incase an unknown virus has crept in. Any company that submits a virus app gets all it's apps pulled.

    Google can then decide whether to let the developer back in again and if it's worth hitting the kill-switch on the dodgy apps.

    The Market App itself could do with a few more settings such as blacklists for unwanted categories or companies that shovel out 100s of apps on the same theme. That would help hide a lot of the crud that you have to wade through.

    Obviously one could get apps from any source other than the official Market and if you do, you're on your own and that's fine too.

  16. Danny 5
    Happy

    so does this mean

    That now Apple is going to say they're better then Microsoft... ehr... google! because they're not susceptible to viruses? somehow that reminds me of something......

  17. Anonymous Coward
    FAIL

    Conspiracy Theory #47

    Is it not odd that these negative stories appear at the same time as the IPad2 launch?

    Product (dis)Placement perhaps?

  18. Andy 27
    Boffin

    nothing to do with openness

    "Once installed, the apps exploited known vulnerabilities that gave the malware root access to a phone's most sensitive functions"

    The above sentence quoted from the article is the key. If an OS has known vulnerabilities and the OS manufacturer or the phone manufacturer don't provide timely automatic updates that fix these vulnerabilites then it's to be expected that they will be exploited.

    So the blame is on Google and the phone manufacturers, not the 'openness' of the OS or the marketplace.

    Security through obscurity like Apple seems to prefer is not a viable longterm solution, any security expert will confirm that.

  19. Tron Silver badge

    D'Oh.

    It never occurs to anyone to actually design out some of these issues?

    Doing what the major online shareware and freeware sites do, checking software for malware before hosting them, but not censoring according to content and specific functionality the way Apple does.

    At the same time you can design a mobile device that can indicate whether it is running only apps that have been checked for malware, or ones that have not been, offering the chance to flush the entire OS from a ROM core and rebuild if you choose to test a potentially dodgy app, re-installing the rest of your apps from an online account repository.

    So, the requirement for users is to be at least of average intelligence in their use of tech, not doing stupid things. Children, and those who don't understand what they are doing but can press a button, should be directed to Apple, where the walls are padded and everyone smiles all the time.

    And like desktop OSs, mobile OSs should be illegal to sell without built-in, free anti-virus, maintained by the originator. It is a more fundamental aspect of operation than all the gimmicks and skins.

    This industry seems to be taking a long time to pass puberty and mature. Too many kids with venture capital. Not enough grown-ups minding the store.

  20. Henry Wertz 1 Gold badge

    Virus scanners and Disneyized Jobs'ville

    @Mike Green, there are several virus scanners for Android. And actually the AVG for Android was the first I installed, and it's a real piece of crap. It flags z4root (which gives root access to the phone, but it does pop up a box saying an app wants root permissions before it can have them...), it flags wireless tether, and it flagged some other legitimate application I had. It was flagging like 1 out of every 4 or 5 apps I had on there as dicey. I'm using Lookout right now.

    @StevenN, Apple's heavy-handedness applies to programmer and customer, after all if the customer seeks some app and it's not there it has an effect on them. More and more programmers are abandoning writing for Apple products, as the restrictions get tighter. Your statement about Neflix and Hulu is also nonsense; Android devices having Flash doesn't preclude having some seperate app (youtube for instance works using Flash *and* using a youtube app, user preference.) I like the comparison of walking around in New York versus some disneyized Jobs'ville. I find this very accurate, quite simply some people like things Disney style and some don't (I definitely do not.)

    1. Anonymous Coward
      Anonymous Coward

      @Henry Wertz

      One problem with needing anti-virus on your droid phone, as any PC owner will tell you, is that AV is notoriously resource hungry.

      The nature of the phone market will mean a number of things: phone hardware is always at a premium, your hardware will age very quickly, as better hardware comes out apps etc. expand to use the extra grunt and so on. In short, the longer you have your phone (that needs AV) the less useful it will become. Look at the problems with the iPhone 3G (not the GS, just the basic 3G) - they were still on sale only 26 months ago and yet they are next to useless now. Imagine adding a resource sucking AV app on top and trying to use one.....

      I see you are claiming that "more and more" developers are abandoning Apple. A quick look at the iTunes appstore casts doubt on that. Unless it is all the crap developers who couldn't get apps published through iTunes that are leaving in a sort of developer equivalent of "you can't sack me, I quit" of course? Anyway, you have links to back that up? All I could find was:

      http://www.appslawblog.com/developers-quit-apple-due-to-legal-contract-and-creative-frustrations/

      Which mentions basically three developers quitting (one of which calls himself rogue amoeba - which in effect means two developers and a twat quitting) or

      http://macdailynews.com/2010/01/29/facebook_app_developer_who_quit_iphone_apples_ipad_is_an_incredible_opportu/

      which is about a developer whi quit developing for iPhone because of teh T&Cs but then he started developing for iPad so he could make money (nice principles there) or

      http://techcrunch.com/2009/11/11/joe-hewitt-developer-of-facebooks-massively-popular-iphone-app-quits-the-project/

      which is about the guy above who quit because Apple are nasty tyrannical arseho---look, shiny iPad!!!!!!! or what about this one from last week:

      http://www.appolicious.com/tech/articles/6829-developers-already-leaving-app-store-over-subscription-rules

      which mentions two developers.

      There may be more, but it looks like the idea that [good] developers or developers of good apps are abandoning Apple in droves is simply wishful thinking mixed with schadenfreude.

  21. jj_0

    Google knows who's infected

    Google should be able to warn users who have downloaded the malware from the Market Place, they keep track of everything don't they?

  22. Arctic fox
    Grenade

    I do not understand what is special about this problem FCOL!

    If you visit dubious sites on your pc and download freebies from them you are highly like to end up with your pc being somebody's bitch - maybe your bank account as well. What the hell is different here? The Market is in practice as open as the rest of the net and when you access via your smart phones (whose IQs are clearly higher than that of many of the owners) you are accessing it by means of a _hand-held computer_ FFS!!! Just the same as if you were using your pc. How difficult is this to understand? If you insist on downloading "My Little Porno" wallpaper or whatever and give it various permissions then your arse is going to be grass, end of. I do not understand how it is possible for anyone to be *that* stupid. Before I buy an app (like many, many other owners whose IQ is in fact larger than their shoe size and are capable of thinking _without_ experiencing extreme pain) I check out the company and the permissions the particular app requires _BEFORE_ I download and install the bloody thing. Am I some kind of genius? No, of course not. If I and many other sensible people can manage these elementary precaution what the hell is wrong with these doughnuts?

    1. Blitterbug
      Happy

      @arctic fox

      Your point is well-made - aside from the fact that only around 30% of the infected apps were pr0n-based. So I'd not be willing to blame peeps for trying, for example, the infected bowling game, chess or the various utilities. In fact I like to try these kinds of things on my old iFruit 3G, and would hate to get labelled a n00b simply 'cos I wanted a little leisure app to while away a tiresome train journey...

      1. Arctic fox
        Happy

        @Blitterbut: An entirely fair point.

        I was fulminating somewhat wasn't I! Yes, it is of course entirely possible to get caught out by a seemingly genuine app in a context where one does not have a rational reason to suspect something is wrong. Furthermore I would certainly agree with anyone saying that Google have to evaluate how they might improve security in the Market without throwing the baby out with the bathwater. It is just that one gets so tired of some people not being willing to think for two seconds when they install something and then starting to howl when it all goes horribly wrong! However, I would not wish to suggest that anyone who gets caught is a prat regardless of the circumstances - by those criteria very few of us would succeed in avoiding the title "Noob of the Year"!

    2. Jean-Luc
      Thumb Down

      @arctic fox & others - Let's not shoot the victims here

      Far as I understand the article, folks downloaded apps from "the Market" which is run by Google, so I think they would reasonably expect to have clean apps from there. Whether they're p0rn or not is actually not that relevant either.

      When I download stuff from Tucows, SourceForge, etc... I do so with a reasonable expectation that those apps are not malware.

      When they are specially senstive apps, like password storage software, I may look up what other users think of them or google for things like "appX virus malware".

      Remember, one of the attractions for Apps Stores to users is to have one stop shopping without having to know much about the individual vendors. That's not what we are used to on the PC end of things, but there was clearly a demand. The vendors don't have to invest too much in marketing either, unless they want to. There is a limited consumer-seller relationship, instead the apps stores basically tell us: come here, we've got goodies you can trust. Not unlike SourceForge.

      Tons of people get a PC and never install anything on it, because they aren't IT savvy. Doesn't mean they are dumb idiots. But app stores have resulted in massive apps uptakes for phones. Maybe Google doesn't want users to get apps? If that's the case, they've made a pretty good start here.

      I'm sorry: "dumb users are at fault" => FAIL. This is a massive Google fail, end of story. And if you are a dev and want to sell apps, you better hope these issues get addressed so that the majority of "dumb users" can feel safe in buying your stuff rather than having propellerheads as your only customer base.

      1. Arctic fox

        @Jean-Luc: Re "Lets not shoot the victims here"

        Respectfully suggest you check out my reply @Blitterbut with the title "An entirely fair point." There you will see that I had in practice already conceded your central point. However, I do think that people should, on general principles, learn a _bit_ about their shiny. Especially if they are going to use their bank card over it!

  23. Ebeneser
    FAIL

    Hmmm

    So lets get this straight, the suggestion is because of apple's control and android's openness android is a virus farm.

    What I don't understand is how apple can prevent a similar type of thing happening - human intervention/content scanning isn't going to help - and if its simply a case of running antivirus/scanning when the apps are uploaded to the market, I'm sure Google can manage that, or buy someone who can.

    I guess its another case of sensationalist reporting for El Reg with little substance underneath, been a bit too much of this recently ...

  24. Tigra 07
    FAIL

    Agree with Ebeneser

    Or people could actually read the permissions screen and look at the size of the app.

    This article read more like an apple fanboi's ramblings.

  25. Ceiling Cat
    Badgers

    Am I the only one . . .

    Who wonders why a damn phone has to do anything more than make and receive phone calls?

    Even SMS seems a daft, thumb-killing "feature" from which nothing good has come.

    "R u gng 2 b @ skl 2mro? I nid ur notes."

    1. Blitterbug
      Happy

      @ceiling cat

      ...I'd agree, but I'm 2 busy TXTing teh GF... But seriously, I make a (sad?) point of TXTing using proper English and grammar. Many of my business associates and family members seem to do the same. As for the point of SMS in the first place, at 10p a pop, it's often cheaper than making a mobile-to-mobile call.

    2. Anonymous Coward
      Anonymous Coward

      @ Ceiling Cat

      A phone may only need to make and receive calls admittedly. But then you could say that all we need from food is a supply of ham salad sandwiches (it has all the required food groups).

      Most of us like the things we can get out of our smartphones - music player, GPS, scribble pad, camera, calendar, address book, games machine, video player etc. - all with only needing to carry a single device (that you would likely carry everywhere with you anyway). Some, like you, don't and that is good, but you are not in a group that is universally representative.

      Oh, and ths texting thing - I like it because, unlike a phone call, a text does not inherently demand immediate attention. I can ask the gf what she wants for tea, or ask her to pick some stuff up from the shops, or remind her of something without having to worry about whether she is in a meeting or otherwise busy and I can send questions / answers to work colleagues without worrying if they are driving, in meetings, with customers or whatever.

  26. Anonymous Coward
    Jobs Halo

    Google's 'Openess'

    There is no 'openess' with Google. Only The Register Fanbois would claim this - fawning all over anything Google is sickening. Yes it's fashionable and superficial, but if you like to think of yourself as 'individual', or you despise the 'crowd', then you are greatly mistaken here.

    They are just another form of Sheep Herders. Follow on...

    1. Anonymous Coward
      Thumb Up

      well done

      Great analysis, Freud.

  27. Anonymous Coward
    Megaphone

    Nah, buyer beware

    Just need to educate users just as we have been doing on the desktop. It's no biggie. All of my friends that Iv'e converted to Android have been told to treat the device as another computer and not just a phone. They need to apply the same rules of safe computing on their mobile computers as they do with their desktop and laptop computers. They understand it and non of my friends have been infected.

  28. Tom 7

    Its easy to write malware for apple

    its just that apple want a cut.

  29. J 3
    Pirate

    offers apps written by virtually anyone

    "offers apps written by virtually anyone"

    Yup. Just like any other computer since the dawn of time. No? (OK, I can see someone coming up with some esoteric example from before I was born or the like; bound to happen at El Reg, but you get the gist of it)

    That's another reason why I like my phone dumb as it is. Its most "advanced" feature is texting. It was obvious "smart phones" would end in tears, given people's ingrained attitude towards phones (it's perceived as an appliance, not as a computer). So we now have malware on one side and tyranny on the other (which, as mentioned above, does not necessarily prevent the malware, although it probably makes it harder to appear; but who knows, it might even be there already and nobody's noticed?). When I decide to get a hand-held computer, I'll get something iPod Touch-style (preferably not Apple's machine though, nice as it is, since they don't want the money of Linux users, since we are so few and deserving of spite anyway, apparently), and keep the phone for calls and text. I've got at least two pockets, no big deal.

  30. heyrick Silver badge

    What would be useful...

    ...is if we stopped accepting crap like manufacturers putting out outdated versions, lack of support, and reliance on the chain of command.

    I am writing this on a Motorola Defy. It is running 2.1. Why? Because Google make a version, Motorola hacks it to fit their phones, then Orange hacks it further to fit their package. Thus if a vulnerability is discovered, I'll get an update when?

    These things are tiny computers running an actual operating system and real applications, so they should have a proper update/patch system.

  31. M E H
    Flame

    This title is not in use

    If I go to a supermarket to buy cornflakes I expect the supermarket to have strong enough vetting of its suppliers and supply lines to ensure that my cornflakes are just cornflakes and don't have rat droppings or powdered glass in them.

    If I buy an app from Apple's App Store I expect Apple to have done some basic vetting to protect their brand reputation. This isn't to say that I don't occasionally get apps that freeze or crash for no good reason but I had a browse through the Android Market and, from the feedback, there appears to be some real crap in there. Total Google fail. They might release software constantly in Beta but paying customers deserve more.

    If I buy cornflakes directly off the Internet then it's buyer beware and if I get Weill's disease then that's my fault. The same goes for buying smartphone software off the Internet and I don't mind the Jobsian walled garden if it means I don't have to worry about viruses.

    I do wonder what this will do for Android's reputation if the great unwashed get to hear of it. Maybe Nokia's move wasn't as dumb as it first appeared?

    1. heyrick Silver badge

      You might have answered your own question

      You say "if I buy an app". Fair enough, but what about all the free ones and the updates and revisions? Who will pay to verify there is nothing nasty in any of those? Apple/Google might be willing to offer a full vetting process. Are you willing to pay?

  32. Infernoz Bronze badge

    FUD

    Trolling nonsense this article be, you can get apps which provide a gateway App to keep a root access whitelist for Apps e.g. as I use on my Advent Vega

    1. Anonymous Coward
      Anonymous Coward

      Yes

      Of course you sound like your average mobile phone user who has been told by their local carphone warehouse, that you can get a free "iphone" device with a contract, its just called Android instead...

  33. Adam T

    Computers + Users = Trouble

    I'm sure I'm not the only one making this point in these comments.

    Take a computer, give it to an everyday person, and sooner or later they're going to download something from the wrong place.

    The only way you can stop it from happening is to prevent the user from downloading software from anywhere they want.

    You can have curated or you can have "open". You can't have it both ways. You makes your choices and you live with em.

This topic is closed for new posts.

Other stories you might like