Android Malware May Have Infected 5 Million Users 280
bonch writes "A massive Android malware campaign may be responsible for duping as many as 5 million users into downloading the Android.Counterclan infection from the Google Android Market. The trojan collects the user's personal information, modifies the home page, and displays unwanted advertisements. It is packaged in 13 different applications, some of which have been on the store for at least a month. Several of the malicious apps are still available on the Android Market as of 3 P.M. ET. Symantec has posted the full list of infected applications."
Those Counter-Strike "Clones" (Score:5, Interesting)
I've always thought it was odd that those games that literally copied Counter-Strike were allowed on the Google Market.
I know, you're about to say "copying gameplay, while unethical, is completely legal". Problem is, they didn't copy the gameplay - they're boring rail shooters. The copied stuff is the art - the textures, models, even some of the maps. And that's blatant copyright infringement. It's obvious even from the previews, if you've played the game enough. And since, at one point, people playing cs_italy were responsible for more bandwidth usage than actual people in Italy, I'm pretty sure I'm not the first to notice it.
I figured Valve, being pretty savvy about this sort of thing, figured that suing them would give them too much publicity - Streisand Effect and all that, not worth the huge amount of publicity that anything Valve does. Now, I'm thinking that iApps7 was just ignoring the cease-and-desists, because when you're already distributing malware and committing actual, commercial copyright theft, you're probably not too afraid of lawyers.
Indirectly related, but... (Score:3, Interesting)
Apart from being somewhat annoyed about the greater difficulty of managing my smartphone when compared to my Linux boxes, I've been having a hard time selecting apps for it.
Android market is not exactly friendly (is there a way to get larger fonts?) and I'd like to have a search by permissions. Recently, I wanted a mere notepad app -- no frills, no cloud, no nothing, just the note, but there's an "excellent" notepad app which requires you to join an online service. WTF!!!
After finding 2 suitable apps, I would still need a bigger keys soft keyboard... again looking at permissions to avoid leaking unnecessary things.
No wonder guys end up getting viruses... we need better ways to control our exposure. Then again Google's business depends on offering us what we want and thus they need to know that. But am I giving my data only to Google? I wonder where my accounts and their details end up going...
Re:No risk for me (Score:5, Interesting)
On a slightly different topic, since I might as well go all out in insulting average non-computer-savvy people for the crime of not spending their life like pasty-faced Anonymous Cowards in front of the cool glow of a monitor in their basement, I remember an early app in the Android market that was literally a tithe calculator. I'm GUESSING this was someone's first app or otherwise a test app by someone learning to program, because I actually downloaded it a second time after an update and the interface became slightly more refined (with a background picture instead of a flat colour and so on), and I'm not particularly here to mock the author of the app so much as any target audience members that might exist.
The app had a prompt for you to enter how much your annual income was, and then a 'go' button that returned (income/10) as the amount you needed to tithe. In the event that you belong to a church that receives tithes to support it, I'm very afraid if you need a smartphone and a custom app in order to divide a number by ten. The app did exactly what it said on the can, but by FSM I hope nobody was browsing through the Android Market and went "Oh! That's exactly what I need!"
Well combine this with googles other news (Score:3, Interesting)
Re:Google Needs To Get Their Ass In Gear (Score:5, Interesting)
Consider the difference between the following questions:
(1) Who can *you* trust?
(2) Who can *everyone* trust?
The problem with the Apple market, and with your idea too, is that it is predicated on having an answer to the second question other than "nobody".
It seems clear to me that a better solution could be built around the first question. That entails letting the consumer decide who he trusts to review and approve apps, then giving him the tools to implement that trust. That'd involve some kind of network to distribute digitally signed approvals. You wouldn't have to have different app stores. You could use any store or combination of stores you wanted. What matters is whether you can find a certification for an app from an authority you trust.
Consumers would subscribe to different authorities based on their concerns. Businesses might choose different kinds of reviewers to trust than gamers. Different functions in a business might choose different reviewers based on the kind of information they handle (e.g. whether the device running the app has sensitive or privacy related data). Evangelical Christians might choose review authorities that reject apps that promote pornography, and porn-hounds would choose authorities that reject apps promoting Christianity.
Re:Google Needs To Get Their Ass In Gear (Score:4, Interesting)
Although I seriously doubt Symantec's 5 million number is right, the fact that malware keep showing up on the market is disturbing.
To be fair, this does not look like Malware at all.
For instance, I'm looking at the game called 'Balloon Game' by Ogre Games, which they say is malware. By downloading the application, you're agreeing to the fact that it can read your phone state and phone identity, you're agreeing that it can use the internet, and you're agreeing that it can install shortcuts on your home screen.
The application wants to know my unique IMEI number? or my Mac address? Whoop di doo. I really don't care about that. And yes, it has access to the internet, so it can serve me ads, send info about me, and possibly (according to Symantec) update its own code in real time.
But even if it can update its own code in real time, it can't change its permissions in real-time (it doesn't have the permissions for that), so it's still sandboxed in the permissions I gave it originally. So what's the problem here? What other "sensitive" information is it leaking out? Does this application go against anything in the Google's Market Terms of Services in any way? No, it doesn't. Only Apple has inane Terms of Services about not being able to load code dynamically from the internet.
This isn't the OS you're looking for. (Score:0, Interesting)
Despite being Linux-based, it is weak-minded. I sold my android device to some other poor, unsuspecting dupe. I got it, played with it for a little while, realized it was basically worthless, and sold it while it still had resale value. Because I bought it at Christmas time, with a steep discount, I actually turned a profit on the little piece of shit. Hahahahahah... sucker. Android has an app store with no vetting process, and that is the heart of the problem. I don't know that it's possible to make an OS where apps are so sandboxed that it doesn't matter WHAT they do. Perhaps if the OS itself had a master control panel at which you could, as the user, and without gaining root, change the permissions of every single program...
But they'll never do that. Linux (and all OS's based on it) suffer the same basic problems other OS's do anymore, because they've become OS designed to be able to run on general purpose machines. So now you've got security exploits, a pain-in-the-ass system (SELinux) that comes bundled that's more annoying than the security default set up that came with Windows Vista, a kludgey patchwork of libraries and it's just a total clusterfuck anymore.
What happened to the UNIX standard from the age of K&R, when each program did what it was designed to do, did it fast, did it well, did it quietly with a modest set of resource requirements, terminated and returned control to the OS?
Now there's almost no advantage to using Linux over Windows, and the disadvantage of it being a big pain in the ass, sometimes. There's a reason why so many Linux distros now are playing catch-up on a 2-3 year lag on features and interface usability with Microsoft and Apple. The reason is because the big boys cleaned up their act, and Linux is becoming increasingly fragmented. Android is useless, I have tried multiple different Linux distros, Windows from 3.1 to 7, and Commodore Basic (pseudo-OS), and MS DOS. I have even tried FreeBSD a few times.
Linux has gotten to be almost as easy to use as Windows, but the myth that you never have to reboot Linux has I think been debunked. Last time I tried Linux, (Mint 11, and Fedora 14, I think) Every time I fired up the computer, the automatic updater would start, and tell me there were dozens of packages that needed to be updated. Frequently this included critical subsystems, (like the kernel itself,) that ended up requiring a restart.
What happened to you Linux? Your ass used to be beautiful...
Anyway, this thread was about Android exploits. Yeah, MOD me down as a troll, I don't give a shit, because this is the TRUTH:
Android is crap. (IOS is also crap, for a completely different reason) but until someone comes up with something better, something that keeps programs in their own space so that they can't jack other files or the system, and that can do all the other things android and IOS phones can do, Android based equipment will continue to be useless. :)
Re:Reaction (Score:2, Interesting)
You've all been fooled. Before you forward the Symantec scareware to all your friends, please study what the symantec announcement says a little more closely.
I've taken a look at the 'Balloon Game' by Ogre Games for instance. It's not malware. It's not doing anything that it hasn't requested in the permissions already. And even if it can update itself (as Symantec claims it can do), if you read Symantec owns report, Symantec doesn't think it can do anything (outside of the permissions it has already been granted).
The only malware here is Norton Symantec, with their fake claims about it being malware and with their super long suggested solution of removing the problem (when the last paragraph at the end of their page titled "manual removal" would remove the program far more quickly).
You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your device has been affected by this risk.
Install Norton Mobile Security
If you do not already have Norton Mobile Security installed on your device, please download the product from the Android marketplace.
Alternatively, you can navigate to the norton.mobi website from your device and download the product from there by completing the following steps:
Select the 90-Day free download.
Click on the Android icon to begin downloading the product.
Click on Install in order to accept the permissions that are being requested by the program.
Next, click Open and then Agree & Launch.
Note: The first time the product runs, you will be required to enter a code that is displayed on the screen in order to activate the product. Enter the provided code and press Submit.
Run a full system scan
Run a full system scan using Norton Mobile Security to remove this risk from the device. To do this, please perform the following actions:
Navigate to the Anti-Malware tab.
Click Scan Now.
Manual removal
To remove this risk manually, please perform the following actions:
Open the Google Android Menu.
Go to the Settings icon and select Applications.
Next, click Manage.
Select the application and click the Uninstall button.
Re:No risk for me (Score:4, Interesting)
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
Re:May have? (Score:5, Interesting)
BTW: Symantec is just now disclosing that their servers were hacked [huffingtonpost.com] in 2006 (as far as they know - maybe earlier). They don't know how long the hackers have PWNed their network, how much control they had, or for how long - but they're quite sure the hackers have stolen some of their source code. They recommend that you not use / disable / uninstall some (most) of their software. Most especially including PC Anywhere, since apparently it has a vulnerability or "back door" that allows the hackers to remotely administer your PC from Anywhere - and has for the last SIX YEARS.
I think I'm going to take Symantec's edicts with a grain of salt from now on, even if this is from a different group.
Re:No risk for me (Score:5, Interesting)
I just really wish for a more fine-grained permissions system.
I mean:
full Internet access
Allows an application to create network sockets.
Wouldn't it be fucking nice if it only could have unchecked internet access to an explicit list of URLs and "full internet access" meant "initiated by user action"?
Same for file system and for "Read phone state and identity" - 95% of apps in the market want the same permission.
It just gets devalued, like UAC's very helpful and informative "Allow this program to make changes to your computer?" prompt (More details? Sure: "Origin: Hard drive on this computer"). With all kinds of "changes" and their frequency it's not hard to see why UAC is often turned off. WIth all kinds of "full internet access" it's not hard to see why permission page is just to click "Accept".
Re:Google Needs To Get Their Ass In Gear (Score:5, Interesting)
When netbooks came out they delivered remarkable utility with long battery life in a tiny package for low cost - using Linux and small SSD media. The netbook met a need for low-cost compromised UI with good performance. Then Microsoft convinced all the Linux netbook vendors to convert back to XP, consuming more storage (and driving the cost up) and delivering less-adequate performance. They sold more units, and lost money on every one. And then there was the crippled versions of W7 thing with even higher costs as the cost of full laptops dived below the price of netbooks. And the netbook market crashed because nobody was going to go back to the cheaper, quite awesome Linux variant when they could sell $300 laptops instead. But a funny thing happened. The price of a laptop also fell in response to this netbook threat - from $900 to under $300. Microsoft successfully killed the netbook by cutting the throats of their PC OEMs with budget laptops.
People forget that between the netbook and the tablet was a Smartbook - invented by Asus and showed briefly in 2009 at a summer trade show - and then suddenly yanked in mid show. It was a ARM/Linux platform. The very next week a very nervous looking Jerry Shen flanked by Steve Ballmer and a member of Microsoft Legal was talking up Asus W7 platforms on a stage in Taiwan. He seemed to be sending out very stressed body language - something like "help me".
So now we have ARM tablets, mostly thanks to Apple's huge margins and lack of commitment to the Windows ecosystem enabling them to innovate. But the netbook story isn't going to play out here again. The CE vendors are in this game now and Microsoft doesn't have the leverage over Samsung and HTC that they had over the PC vendors. The CE vendors can't make Apple tablets: only Apple can do that. So they're going to do the thing they CAN do, and make Android tablets as best they can. And they do. And they rock. And Google does the ecosystem thing for them, with 250M units in the field the developer need not worry about there being a market for his app if it's any good. With hundreds of thousands of apps customers need not fear the thing won't do what they want - in fact, if you've bought it for your phone you don't have to buy it again for your tablet. And some of the apps - particularly games - are quite incredible on a device with all-day battery life. And things like Kindle app of course still give you access to all the things you've bought through there too.
The new crew, the CE giants, the Samsungs and HTCs are also the ones burned on Windows Phone and buying back their stock thanks to Nokia's preferred standing - so they're not going to push for WoA. Neither are the PC OEMs, once they find out Nokia got early access and help, and they're required to include software with Nokia branding on it in their PCs.
WoA is going to try to step into this with no apps, a rejected WP7 UI and a general distrust of Microsoft, and try to make a go of it. Maybe even without multicore. They're going to have to acquire HTC to make that happen, because without something on that scale they got nuthin.
This is starting to look like the end of the beginning.