back to article Android Trojan leaves 100,000 users out of pocket

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile’s Mobile Market. Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of …

COMMENTS

This topic is closed for new posts.
  1. Spearchucker Jones
    FAIL

    Face palm

    The numbers are scary. No doubt.

    The fact that they're published in such a pretty infographic form by a security company with an anti virus app for sale is, well, funny. AV on Android is mostly useless because these apps are themselves subject to sandboxing, meaning they can't scan other app folders or system folders.

    http://www.extremetech.com/computing/104827-android-antivirus-apps-are-useless-heres-what-to-do-instead/2

    Also, there are intrinsic platform design problems in Android, like allowing any app to copy photos without the user's permission. It's great that Google intended to emulate a PC experience, but what AV software is going to determine whether doing this is legit or not?!?

    http://bits.blogs.nytimes.com/2012/03/01/android-photos/

    1. LarsG
      Trollface

      Ouch, this is becoming an increasingly painful problem for Google and Android.

      Could this be the beginning of a proper quality control in Google Play?

      Naaaaaah.

  2. PaulR79

    How many app markets?!

    "The malware has already been placed in nine different third party Android app markets in China"

    I know that the Play Store (hate that name....) used to have country restrictions where it wasn't available but do you really need nine in 1 country?!

    With regards to the article are there any mentions of what this trojan is advertising that gets so many foo... erm.. users to download it? Free apps that cost on markets elsewhere? Porn? Those are the usual sucker-type apps. It's unfortunate but if you expect to get paid stuff for free without a catch then that's your problem.

    1. LarsG

      Re: How many app markets?!

      Yes but the market is huge, there are lots of people in China!

    2. Ironfrost
      Holmes

      Re: How many app markets?!

      "Free apps that cost on markets elsewhere? Porn?"

      No, popular free apps like Sina Weather (Sina is probably the biggest internet company in China with all sorts of different services) and 3rd-party Weibo (like Twitter) clients. The victims might be dumb for not wondering why a weather forecast app needs access to their SMS inbox, but this isn't a case of greedy people getting their just desserts.

      1. PaulR79

        @Ironfrost

        Fair enough, I hadn't read anything beyond this article at the time. As you mention the permissions thing that is something that I think Android could do with clearing up. They already implemented an idea I had long ago about allowing automatic updates but making it manual if app permissions change, perhaps they'll take up a new idea of encouraging app makers to specify why their app needs certain permissions. I know I'd like to see why some permissions are requested even if it's short information like a camera app needing internet permission saying "Internet permission to share online" or something similar.

  3. xyz Silver badge
    Devil

    ActiveX 2.0

    ...was my first thought when I started using Android. Nuff said

  4. Anonymous Coward
    Anonymous Coward

    YAY more Android FUD stories

    The key poiint of course, is all these phones had the Android security disabled, and they were accessing non-Google stores..

    SO really, is it THAT surprising....

    Why not, for once expose the massive jailbroken iPhone malware problem... Or does that go unreported because it doesn't fit with the hidden agenda?

    1. Anonymous Coward
      Anonymous Coward

      Re: YAY more Android FUD stories

      Perhaps your own words, "jailbroken iPhone" could explain it. anywhere, what evidence have you got? Does anyone even know how many iPhones (or Android) are "jail-broken"? I suspect the number is rather low. . Bit like someone complaining that burglars just walked into his house and stripped it bare, when he left the front and back doors unlocked for freedom of movement and convenience.

      Apple (I do not know about Google or its distributors) clearly discourage and take no responsibility for "jail-broken" kit and their updates, usually including security software, tend to undo the jail-break. You can hardly expect any product to behave as intended by the supplier once you modify it on your own. Silly boy.

      1. the-it-slayer
        Happy

        Re: YAY more Android FUD stories

        If you jailbreak an iPhone, you leave yourself at greater risk in getting punched in the nads for it. i'm pretty much ditto'ing what the anon just said, but this is why Android's framework is always a risk in the mobile market.

        For a system where you expect ultimate privacy (phone, SMS etc), Android is a bad apple. I don't think it'll be too long before some sort of malware can breach an unknown vunerability within the Android OS and be able to log your calls, track messages and maybe even record phone calls to be sent back to C&Cs hackers will get to know you and then get you where it hurts (bank accounts etc).

        Okay, I might be scaremongering here; but I don't mind the walled garden Apple has setup because at least I know there's continous proactive scanning of apps coming through the App Store. Fair enough, there's been a case recently, but for someone to breach the iOS framework (without being jailbroken) to get the same result will be a massive feat and extreme marvel at reverse engineering the thing.

        Fandroids... your ticking clock has already started.

        1. g e

          Re: YAY more Android FUD stories

          Having said that there was a report of another Android trojan over the weekend, not good.

          Also found in IOS App Store...

          Fanbois your clock's been ticking and no-one even heard it... Glad I stick with the 'only install it if you really need it' approach I use with all computer gear.

          Having said that I don't know why Google don't allow users to individually grant/revoke privileges to apps regardless of whether it knackers the app functionality or not. For instance revoke GPS access to the Facebook app, it's always turning the GPS icon on. I could turn GPS off globally but it's handy for satnav...

          1. nemo20000
            Devil

            Re: YAY more Android FUD stories

            @g e “I don't know why Google don't allow users to individually grant/revoke privileges to apps regardless of whether it knackers the app functionality or not.”

            I fully agree, and this was first requested as an “Android Issue” back in 2009: http://code.google.com/p/android/issues/detail?id=3778

            Google’s response then, and every time it crops up again, is “Works as intended”. There’s a lot of people insisting they want the functionality, and a lot of fud in response such as “would increase complexity of writing apps” (which is nonsense).

            The way such functionality would behave is that any “revoked” permission would appear (to the app) to work, but fruitlessly – http would return 404; accessing contacts would find none; sending an SMS would send it to the bit bucket; GPS would return some default location; etc.

            The reason Google won’t implement it is simple and obvious: If you could revoke internet access for an app, how could it serve Google Ads to you the whole time?

            I believe there was some possibility of a Cyanogenmod patch to revoke individual permissions, but I don’t think it faked results as above.

          2. Giles Jones Gold badge

            Re: YAY more Android FUD stories

            So Android is better than iOS because a trojan was found in both app stores? that's a very convincing argument.

            The whole point about a trojan is it is dressed up to look legitimate. App stores can only do so much testing.

            A trojan could actually look what the date is and only perform its hidden code after a few weeks, this would get around any normal checks.

            It could be possible for applications to be audited using tools, it may even happen. But even then it would be hard. Virus checkers don't do a very good job at that as they don't really know what the correct behaviour of an application is, never mind what the bad behaviour could be..

            1. Colin Millar
              IT Angle

              @ Giles Jones

              So - your version of debugging and security checking presumably consists of clicking on the icon and reporting what you see on the screen?

              Your example of looking up the date and waiting is probably the worst example you could have given - anyone with a clue would flag any apparently pointless activity as highly suspicious.

              "Hey - it didn't blow up my phone so it must be OK to tick the box that says grant permissions to everything."

        2. Anonymous Coward
          Anonymous Coward

          Re: YAY more Android FUD stories

          Android Bouncer

          http://googlemobile.blogspot.co.uk/2012/02/android-and-security.html

        3. Anonymous Coward
          Anonymous Coward

          Useful definitions

          NOUN set-up

          VERB to set up

    2. Anonymous Coward
      Anonymous Coward

      Re: YAY more Android FUD stories

      Jailbreaking is a lot different to switching off options in the interface of your phone. Jailbreaking is not condoned and Apple do all they can to stop it.

    3. Anonymous Coward
      Anonymous Coward

      Re: YAY more Android FUD stories

      Quote: "Why not, for once expose the massive jailbroken iPhone malware problem... Or does that go unreported because it doesn't fit with the hidden agenda?"

      Rose tinted glasses don't really help. There's a fundamental difference between "forbidden" (rightly or wrongly) jailbreaking or using the phones standard functionality. In effect Apple have set the bar to potential disaster higher.

      I believe VERY strongly that Android needs to mandate an app store, maybe country by country, or carrier by carrier but leaving the option to use odd ball sources of apps really doesn't help end users as a small proportion of users will end up taking it (look how many iPhones are jailbroken and users need to be far more proactive to achieve that!). If you're a power user who needs that level of flexibility, you can root the handset.

      Unfortunately, Google won't, I think, follow that path because as the model works today the end user is entirely on their own for support because they "chose" to do it (much as Apple won't support Jailbroken handsets).

      Move to a walled garden and in the event of trouble, Google would end up with some element of responsibliity to end users and past experience suggests they want to go there.

  5. Khaptain Silver badge

    What is the name of the app

    What are these alternative stores and what is the name of the App. A little bit more information would have been a lot more serious.

    1. g e

      Re: What is the name of the app

      The lack of information raises the validity of the report like the recent Microsoft fake email report which turned out to be entirely possible to be an email faked in Notepad that originated from anywhere....

      If you got the dirt then dish it and act smug like you're protecting all humanity

    2. Anonymous Coward
      Anonymous Coward

      Re: What is the name of the app

      I'd let you know but I don't have a Chinese-character keyboard.

      Just watch out if you're using a Chinese 'app' (hate that abbreviation) store.

  6. Mark Allread
    FAIL

    Why is this even happening?

    Google had a clean slate, a fresh start in a world which was already well aware of malware. Why did they appear to ignore this obvious outcome? How could they get this so wrong?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is this even happening?

      All in the name of freedom, freedom to do what you like with a device, freedom to choose where you get your software from, freedom to let 3rd party developers rob you blind.

      1. P Zero
        Facepalm

        Re: Why is this even happening?

        The exact same freedom you have on your personal computer.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why is this even happening?

      What has Google got to do with it?

      It's not come from their store, it's not come from their handsets either. Android is an Opensource OS, and there are hacked versions on Chinese phones accessing other less secure stores...

      I don't see alot there that is really Google's problem.

      The fact you can't even get to El-Reg from China (or you couldn't last time I was there), means the only aim of this story is FUD.

      1. Anonymous Coward
        Anonymous Coward

        Re: Alot

        Aww! The Alot is really cute!

        http://hyperboleandahalf.blogspot.co.uk/2010/04/alot-is-better-than-you-at-everything.html

  7. Anonymous Coward
    Anonymous Coward

    Chinese population

    Judging from my calculations, this COULD have affected .001% of ALL smart-phones in China (not just android purely because I don't know the breakdown of differnt operating systems). I.e. if 50% of all phones were android, it would mean that possibly .002% were compromised.

  8. Anonymous Coward
    Anonymous Coward

    Double standards?

    Take an Android phone, deactivate the option to only install from the official Android market, go to unofficial store, download software, get a trojan, all Google's fault.

    Take an iPhone, jailbreak it, go to unofficial app store, download software, get a trojan, not Apple's fault at all, you jailbroke it, all your fault.

    Android security isn't perfect, but at least I can see what permissions an app wants before I install it, and can make an informed choice as to whether I want to install it.

    Can iPhone users be so sure that not one of the hundreds of thousands of apps on the App Store is unsafe and doing something nefarious? It's been shown that malware can be put in there, both as a proof of concept and an actual real app. How many more? Do you really think that millions of iPhones containing all sorts of private data are not a juicy target for criminal gangs the world over?

    1. Anonymous Coward
      Anonymous Coward

      Re: Double standards?

      Not really, although i get your point.

      The difference is in the level of effort needed to achieve the same goal, the Android setup is a purely a change and confirm issue, the Apple change takes a hell of a lot more effort and Apple try to fix it so you can't do it.

      The issue with the Android permissions thing is not that it doesn't offer you it, but as with all these things it is almost too prevalent, because it asks you every time. Therefore most users are going to turn off to it after a while. I am not sure there is a good solution to it, because it is almost social engineering rather than a technical issue.

      The only real way to stop this is for google to stop you accessing apps from anywhere else in a more stringent way i.e. by default make it closed wall, and then force you to "break" your phone, to get this kind of access. however this would go against what most teccies want, and soo doing this would get an instant backlash from the tech community, and instead we will get the smart arses claiming that the "fools" should not be allowed to have android if they can't use it properly.

      Me, I'd make it easier for the average Joe, and give those of us who want to open up our phones a more difficult route to do so, thus ensuring we know what we are doing.

    2. the-it-slayer
      Paris Hilton

      Re: Double standards?

      But isn't it a security risk to allow unofficial apps in the first place? Of course that's Google's fault. They bloody put that feature there where jailbreaking isn't authorised by Apple or even encouraged (regardless of whether it's lawful or not). Damn right it's not perfect in the most accurate means possible. You're comparing apples and oranges in that instance. If you'd said about someone rooting their Android phone and loading custom firmware that authorises any app to change anything, then I'd compare that to jailbreaking.

      I can be pretty confident that there's near zero malware on my iPhone. I can't guarantee it, but Apple's proactive approach rather than Google's lazy approach to checking apps gives me the trust in a software distributor. At least they take ultimate responsibility for anything that happens and at least can respond by killing the app very quickly.

      The fandroid world is ever more becoming a playground for hackers and criminals. So no double standards here. And I just put Paris there to check over there's fair play here.

    3. Anonymous Coward
      Anonymous Coward

      Re: Double standards?

      The difference is most Android phones sold in China don't have Google Play. When you go into the Play shop with a chinese firmware phone it says "Device not supported". There is no way to get apps other than alternative markets (or flashing the phone with another firmware, voiding the warranty)

      In contrast all iPhones sold in China have access to the iTunes Store.

      1. the-it-slayer
        Facepalm

        Re: Double standards?

        @Anon: 11:12

        Surely that's an issue with Google just being lazy to sort out their business with the Chinese gov and aimlessly allowing Android on the Chinese market without an official app store? Sounds like bad practise to me. So with these unofficial app stores, would that not open the opportunity for tech criminals to setup their own and get what they want when people sign-up and purchase through them?

        I don't know how easy that would be if it was possible.

  9. Anonymous Coward
    Anonymous Coward

    You Can Have All The Phone Security You Want

    But it's not going to stop the mugger from punching you in the face, nicking your phone and wallet as well.

    1. Anonymous Coward
      Devil

      Re: You Can Have All The Phone Security You Want

      Au contrare:

      http://www.bbc.co.uk/news/magazine-18739151

      1. Anonymous Coward
        Anonymous Coward

        Re: You Can Have All The Phone Security You Want

        I know it's what made me say it. He was still mugged though.

  10. Gordon 10
    Thumb Down

    Poor analogy

    People have been aware of the risks of getting mugged since caveman times and have adapted behaviours to mitigate.

    This is more akin to someone leaving the pin pad uncovered or letting a waiter walk off with your credit card. Its something for which the social and technological measures have not yet evolved to adequately deal with and where if some more thought had been given up front the risk could have been further mitigated.

  11. Michael Thibault

    It's the new Windows!

    If the walls of the sandbox ever spring a leak, it will be hugely monetizable.

  12. Matt Bryant Silver badge
    Thumb Up

    Yippee! A new story I can point BYOD pushers at.

    Blackberry and BES offers us the ONLY bulletproof security option because the BES admin has so much control over what the user can and cannot do with the handset, especially when it comes to disabling app downloads. I am a big fan of Android but not in my business environment, thanks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yippee! A new story I can point BYOD pushers at.

      Erm you can already do the same on iOS and on some Androids that have enterprise management.

      1. Matt Bryant Silver badge
        Stop

        Re: Re: Yippee! A new story I can point BYOD pushers at.

        "....you can already do the same on iOS and on some Androids...." Yes, and please point me to the 24x7x365 support structure that comes with that? And whilst you're at it please make it as easy and flexible as BES so I can make it work with Outlook and Office documents out of the box. Sorry, but the Apple Mobile Device Management solution is a pile of fail compared to BES (I know, I had to check it out to because the Crayola Department wanted iBones to go with their iMacs), and Apple support is laughable when it comes to anything non-Mac. Android can be made secure but I've yet to see an offering that comes close to BES wihtout requiring weeks of consulting to set it up.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Apple support is laughable when it comes to anything non-Mac."

          I disagree. I have been in an Apple store and listened with interest while a 'genius' explained to a 70-something bloke about the different options for running Windows programs on his Mac. Alternative programs, emulators, boot camp, etc. He explained it really well in a way his audience could understand and I was impressed.

          I am not an Apple evangelist.

          1. Matt Bryant Silver badge
            Stop

            Re: Re: "Apple support is laughable when it comes to anything non-Mac."

            "....I have been in an Apple store and listened with interest while a 'genius' explained to a 70-something bloke about the different options for running Windows programs on his Mac....." That's great, but not really the enterprise-level requirement I was thinking of. I'd hate to have to discuss an Exchange issue with Apple support.

            As a simple counter example to your's, for years we had an option so that users could also register for a Blackberry Internet Service email account alongside their work BES account, just so they could have public and private email on the same device. With BIS, you can go set it up and look at it in a Web browser. Well, actually in some browsers, because that pile of cack Safari would never work (and still doesn't). Whenever asked, Apple support insisted it wasn't their fault, even when we showed them where their browser was not implementing Web standards correctly. For a while we advised our fanbois to use the version of IE for Mac OS as that did the job better despite having been out of production since 2003! It was interesting watching their faces at that suggestion. In the end my boss got so tired of the iTards complaining he cancelled the BIS bit of the contract.

  13. Michael Habel
    Stop

    What if you don't have CC or a CC attached to a Google Account

    How damaging would this be then?

    Assuming that this could either somehow pull your CC Details off the Phone or off the G-Account that is.

    1. Anonymous Coward
      Anonymous Coward

      RTFA

      This makes purchases China Mobile's own store, so it gets charged to the user's phone bill.

  14. P Zero
    Big Brother

    With all this in mind...

    When are Apple and Microsoft installing 3rd party apps from untrusted sources on their respective computer operating systems?

  15. Furbian
    Mushroom

    Hardly sruprising...

    ... when you consider that e-mails from their Google-Play-Wallet etc. look just like spam e-mails. Here's how they killed off my account for me asking why they wanted my passport, statements etc. for trying to buy an 80p app, in English so bad that a 10 year would see the silly mistakes ...

    http://furbian.blogspot.co.uk/2012/06/my-google-walletplaycheckoutwhatever.html

    1. Anonymous Coward
      Anonymous Coward

      Re: Hardly sruprising...

      @Furbian.

      Pretty piss poor, but that is what you can expect from a call centre on the outskirts of Lahore, or wherever. I had a similar encounter with Amazon some years ago. The morons just cut an paste canned paragraphs in a manner they think might make some sense. As far as I was able to tell, not 1 line of what I wrote to them was read. In fact, I suspected that there was an auto-repsonse robot answering me, because no sentient being capable of minimal English comprehension could seriously consider the responses I received as relevant to the questions asked. So, your experience is not unique. Call centres in 3rd world countries might as well be staffed by "bots" because a well written "bot" would probably do a better job, and it would at least be able to spell.

      To me your case looks like a rogue and you probably should take it higher up the chain.

    2. Anonymous Coward
      Anonymous Coward

      @ Furbian

      Whilst I sympathise with your frustrations at the issue, having experienced similar situations - you make a big deal about the poor spelling and grammar but you actually make far more copious mistakes yourself.

      If you're going to focus on the issue then maybe a quick read-through of what you just typed might be in order?

      1. Anonymous Coward
        Anonymous Coward

        @ Furbian

        The comments function on your blog does not work.

        Finally, I have one really easy-to-remember tip for you: apostrophes are not used to form plurals.

      2. Furbian
        Happy

        Re: @ Furbian

        Typos galore indeed! I pretty much said as much at the end of my rant, though I can appreciate one not reading all of my ill-tempered rant, because I had (and still have) better things to with my life than spending more than a few minutes firing off angry replies to 'Google'. After all, the onus is them not to send out e-mails like that asking for quite a lot of personal information, enough to steal my identity. They could at least put them through a spell checker, most browsers, e-mail clients etc. will spell check as you type. Or are Google staff not allowed such a luxury? There aren't any massive grammatical howlers in my replies anyhow, there's a world of difference between what they sent and what I replied with.

        Anyway, I'm just a customer who asked some perfectly valid questions, and received no answers. Nobody paid me to write the e-mails I sent them, but the chap/chapess (yes I know the latter probably isn't word) corresponding with me was quite clearly paid for writing the ones they sent, it's their job.

        Thanks for the handy tip on the use of 'apostrophes', I will make sure I do no offended Google with such appalling typo's. Then again, maybe I wont! Yes the latter and the former are my idea of a joke.

        As for comments not working, well that's Google for you again! Sigh is it worth figuring out what's wrong with it.....

        oh I just tried, signed me in and gave me an error saying I should try again later.. now I can blog about a blog not working!

        Lahore is an unlikely destination for a call centre, it being in Pakistan, no one wants to base a call centre on a border town in that country, or anywhere for that matter, the vast majority appear to be in India, with some now in the Philippines and even Morocco apparently. The idea of a 'rogue' is why I decided to play it along and see where it went, escalation seems impossible, and I did read somewhere that someone sent them a letter to their FSA registered address, and they received no reply. Anyway life's too shot, and I'm not too fused about it, the blog entry and this are about the extent to which I would take this. But I like to stick my blog URL in when I see Google mess up their Play store.

  16. Anonymous Coward
    Stop

    As predicted

    "TrustGo recommends customers only download apps from trusted app stores and download a mobile security app which can scan malware in real-time."

    No doubt they will sell you an appropriate security app. I'm guessing they will also happily sell you snakeoil and volcano insurance too.

  17. Anonymous Coward
    Thumb Up

    Again, it's soooo agreeable to be right!

  18. Anonymous Coward
    Anonymous Coward

    Android is safe !

    Yeah, some security firms are trying to bite big parts of Android market. That's all ! TrustGo, Avast, AVG ... Android is Linux and is secure. There are no "viruses" like in Windows! You can list all installed apps and see what permissions they require - Setting / Manage Applications and then click on each app to see what permissions the have. If you have any doubts - there are some apps on the market like Anti Mobile Spy and Permissions Dog that can analyse the permissions of each installed app for you.

    There are no viruses, there are apps with excessive permissions. Just read what permissions are required by each app when you put it on your phone, and you'll be safe.

This topic is closed for new posts.

Other stories you might like