Android Users Get Scammed With In-App Antivirus Ads 82
An anonymous reader writes "A new malware scheme has been discovered that pushes fake antivirus software to Android users via in-app advertising. Once installed, the trojan informs the victims they need to pay up to remove threats on their device. The malware in question, detected as "Android.Fakealert.4.origin" by Russian security firm Doctor Web, has been around since at least October 2012 according to the company. While Android malware that masks itself as an antivirus for Google's platform is nothing new, and neither are ads in Android apps pushing malware, but putting the two together can certainly be effective. This is naturally a practice that Windows users are all too familiar with."
Always give them a chance (Score:5, Interesting)
I will never understand why phishing and malware attempts always have some weird tell that they're not legit. Whether it's some bizarre choice of words in the midst of an otherwise fairly legit looking piece of email or Cyrillic text in the middle of an otherwise semi-legit looking app there's always a tell.
It's as if the authors are carefully trying to prey only on the truly stupid.
Why 'Nigerian Scammers' Say They're From Nigeria (Score:2)
It's as if the authors are carefully trying to prey only on the truly stupid.
Given how advance fee fraud works [slashdot.org], that's probably right.
Re: (Score:2)
Re: (Score:2)
That's a slightly different scenario though. In this case they don't have to weed out responders to save time. For most click here, enter data here type phishing attempts it's a one time interaction. If you're dumb enough to take the first step there's no second step to save you.
I guess I shouldn't have written 'I will never understand' but I certainly don't at the moment. I'll admit it's so pervasive there may be a reason but they're usually fairly subtle errors where as the Nigerian scammers are fairl
Re:Always give them a chance (Score:4, Interesting)
You know, I got that same feeling when the article said this was from "Russian security firm Doctor Web" and the malware dates back to October 2012.
They may be legit, but I did a double take on the name and country of the company, as well as the date.
Looks like it comes from TFA, which is next to useless for actual helpful information. No mention of what ad networks, or what apps theses were found in. They even blur the website name of where they encountered an ad. The Next Web article seems to be copy-pasta from the AV 'article' (probably better described as a press release). I clicked around their site and their links are broken and redirect to a scary 404 page that gives me instructions on how to recover Windows. Pot, kettle, anyone?
But sure enough, they sell Android antivirus software.
(Full disclosure: I sell an app meant to teach new users about Android permissions, but also give the text of the guide away -- still, take what I say with a grain of salt, like anyone else).
Re: (Score:2)
There is some logic in that - if you eliminate the ones smart enough to do stuff like that, you have a better chance of remain
Re: (Score:2)
I've removed several malware programs from the computer, and I know that it's coming from those free kids game sites which my kids use on a regular basis. They're not stupid, but naive to these sorts of things. Like most things I can explain it to them a thousand times, but when you hold a shiny
Re: (Score:2)
So why do your kids have admin accounts on the computer?
Re: (Score:2)
Re: (Score:2)
WTF has root got to do with anything? I said admin. An admin account is one which allows you to install programs. If the kids don't have an admin account they won't be installing programs.
Or do you have some deficient OS that doesn't have proper admin accounts? Hmm... root? You're not a Linux user are you?
Re: (Score:3)
The most obvious give-away is when it says "you must enable installing from untrusted sources", aka side-loading, to use the .apk file that just downloaded. For some not at all suspicious reason it isn't on Play. Ignore the warnings you see about not trusting unknown applications/companies. Just keep clicking "yes".
People who fall for this are too dumb to use a smartphone. They are on a par with people who drive over cliffs or off bridges because their sat-nav told them to. If you don't make the slightest e
Re: (Score:2)
You only notice the badly done ones. (Score:1)
The rest are happily installing crap on your system with your blessings.
It really PISSES ME OFF that nobody can figure out how to fix this. Fucking malware guys should be stripped, dipped in glue, and rolled in fire ants. For the first offense. What a bunch of assholes.
I've seen this before... (Score:1)
How to get a Windows registry (Score:2)
I'm running linux...i'm sure that the first of those 'problems' is that I don't have a windows registry. XD
If your PC runs a distribution descended from Debian, you too can get your very own Windows registry:
But I see your point. As long as you're using an X11 based browser, as opposed to browsing the web in a copy of Wine Firefox that you ended up keeping open after you were done watching Netflix, there's no way a pop-up ad could possibly see your Windows registry.
Re: (Score:1)
Please help me become no longer an idiot (Score:3)
Wine and Mono are proof of the existence of the idiot savant. They brilliantly do these things, and don't know why they shouldn't.
Then please help me become no longer an idiot. Please explain why one shouldn't. Are you claiming that it is unwise to allow users of a minority computing platform to run applications that were developed for the majority computing platform? If so, please explain at which point the unwisdom enters the claim.
Re: (Score:2)
Re: (Score:2)
Once you have adopted the thesis this far
Explain which "thesis" you're talking about, and my exit might become easier.
Uninstallation last time (Score:4, Informative)
It's a lot easier to uninstall fake antivirus on Android than on Windows. Last time, removal took two steps [slashdot.org]: 1. remove it from the list of device administrators, and 2. uninstall the application from the device.
Are other mobile platforms any less prone to deceptive in-app advertising?
The big difference between Android and Linux (Score:2)
is that while in desktop GNU/Linux a firewall is designed to keep the nasties out, in Android a firewall like Droidwall is designed to keep the nasties in, i.e. prevent them from phoning home.
For those who want to be anal pedantic I know the "backend" in both Android and GNU/Linux is pretty much the same iptables that can be configured to keep out/in both external and internal threats. However, I was quite surprised when I first learned what Android firewall apps, which typically require root-level access t
Re: (Score:3)
Is there really a technical reason why it's not possible for them to dig in deeper into an android device assuming the user gives permission (as per the article)?
Yes.
In addition to the standard Linux security model, Android has an Application Sandbox which assigns a unique user ID (UID) to each app when it is run. The apps run as that UID, and can only interact with other apps through secure inter-app process communications.
http://source.android.com/tech/security/ [android.com]
Re: (Score:2)
Is there really a technical reason why it's not possible for them to dig in deeper into an android device assuming the user gives permission (as per the article)?
Yes.
In addition to the standard Linux security model, Android has an Application Sandbox which assigns a unique user ID (UID) to each app when it is run. The apps run as that UID, and can only interact with other apps through secure inter-app process communications.
http://source.android.com/tech/security/ [android.com]
There have been several well known (some even presented at Black Hat) ways of breaking out of the Android sandbox, and Linux privilege escalation exploits, to completely compromise an Android phone. The biggest problem with Android security though is that even Google has been good at adding security features and fixing vulnerabilities, most of the user base is on older vulnerable versions, with added "functionality" from handset makers and operators undermining security further.
Re: (Score:2)
Malware (Score:2)
"Please run this random program you got from somewhere because we asked you to".
Then something bad happens.
What's Android platform specific about this?
No "Unknown sources" and pay to "adb install" (Score:5, Interesting)
What's Android platform specific about this?
Mobile platforms other than Android put substantial barriers in the way of being able to "run this random program you got from somewhere". Windows Phone 7 and iOS, for example, don't really have a counterpart to the "Unknown sources" checkbox of Android, and they charge $99 per year for "provisioning", which allows the user to load applications through the equivalent of adb install.
Re: (Score:2)
why is SD card access a boolean decision? And why are all permissions granted permanently to apps?
Fair questions, but how would you have designed it? Think carefully about the edge cases and user experience for both questions. I think it also helps to keep in mind lessons learned from incessant dialogs. Users are now desensitized and trained to click OK, despite not having read the message.
Secure file chooser dialog (Score:3)
Fair questions, but how would you have designed it?
I'd handle SD card access like this: When an app is installed, it can read and write only its own folder. When an app wants to open any other file, or all files in a given folder, it asks the system to display a file chooser to the user, and then that app gets authorized to open that file. Both OLPC Bitfrost and the Mac App Store sandbox use variants of this pattern. Likewise with the Internet permission. I'd add an additional "User-chosen Internet sites" permission that can access only the domains specifie
Re: (Score:3)
If you think I'm exaggerating, most non-tech people I know never use the URL bar on their computer: they go to their homepage, usually Google, and type in the site's name there. Eve
Explanation for novices; vehicles as appliances (Score:2)
And the number of acronyms and specialized vocabulary you've used means you'd have lost 90% of the user base by doing that.
alostpacket asked: "how would you have designed it?" How to design a system and how to explain its behavior to computer novices are two different things. I am aware that trying to explain a system to a novice user and to a programmer using the same wording is unwise.
File Chooser: When an application wants to work with one of the documents, photos, or other files stored on your device, the device asks you to choose a file. Only the file you choose will be made available to the application. Sometimes, an a
Re: (Score:2)
Re: (Score:2)
the perfect solution would be somewhere in between nokia j2me permissions handling and the way android does permissions.
nokia (and other) j2me permission handling bombs the user with way too many dialogs(making using a file browser coded in j2me really tedious) and android doesn't give possibility for enough.
however, if you have a platform where you could do AV/system maintenance sw as a 3rd party, then you're going to have the possibility to do fake sw to do it. remember, this attack is mainly social engin
Paying your dues (Score:2)
and no I don't want to pay testing houses 500 dollars for a release that the fucks don't even check if it does anything bad(the symbian way)
Then the established development companies that are willing to pay their dues will out-compete you.
Re: (Score:2)
Fair questions, but how would you have designed it? Think carefully about the edge cases and user experience for both questions. I think it also helps to keep in mind lessons learned from incessant dialogs. Users are now desensitized and trained to click OK, despite not having read the message.
The fact that a lot of people will just click OK on dialogs without consideration is well worth bearing in mind. But the Android method does not get an advantage there. People who do this will click on OK in a dialog at install time, even more so than when an unpredictable one comes up.
Better to bring up a dialog which is specific to a particular permission, at the time the app is first trying to do it. Than a user can better understand why they are being asked the question.
But ultimately, the best UI is no
Re: (Score:2)
Following myself up here:
Of course you also need a permissions section in an options screen somewhere in order that permissions that were given can be taken away again.
Re: (Score:2)
One way to do this is to have a curated App Store where apps that do bad things aren't allowed.
Isn't that what Amazon Appstore does?
Re: (Score:2)
why are all permissions granted permanently to apps? Bad design.
Because Android security is designed to protect the community of users rather than each user individually. The last paragraph below explains the philosophy, but it's much the same as many other FOSS systems - not all users can audit or edit source code, but not all need to.
How Users Understand Third-Party Applications
Android strives to make it clear to users when they are interacting with third-party applications and inform the user of the capabilities those applications have. Prior to installation of any application, the user is shown a clear message about the different permissions the application is requesting. After install, the user is not prompted again to confirm any permissions.
There are many reasons to show permissions immediately prior to installation time. This is when user is actively reviewing information about the application, developer, and functionality to determine whether it matches their needs and expectations. It is also important that they have not yet established a mental or financial commitment to the app, and can easily compare the application to other alternative applications.
Some other platforms use a different approach to user notification, requesting permission at the start of each session or while applications are in use. The vision of Android is to have users switching seamlessly between applications at will. Providing confirmations each time would slow down the user and prevent Android from delivering a great user experience. Having the user review permissions at install time gives the user the option to not install the application if they feel uncomfortable.
Also, many user interface studies have shown that over-prompting the user causes the user to start saying "OK" to any dialog that is shown. One of Android's security goals is to effectively convey important security information to the user, which cannot be done using dialogs that the user will be trained to ignore. By presenting the important information once, and only when it is important, the user is more likely to think about what they are agreeing to.
Some platforms choose not to show any information at all about application functionality. That approach prevents users from easily understanding and discussing application capabilities. While it is not possible for all users to always make fully informed decisions, the Android permissions model makes information about applications easily accessible to a wide range of users. For example, unexpected permissions requests can prompt more sophisticated users to ask critical questions about application functionality and share their concerns in places such as Google Play where they are visible to all users.
http://source.android.com/tech/security/ [android.com]
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re:Malware (Score:5, Insightful)
"Please run this random program you got from somewhere because we asked you to".
Then something bad happens.
What's Android platform specific about this?
Well it doesn't happen on iOS.
Re: (Score:3)
I can't download it because it was only on the AppStore for a few hours before it was removed, and he as a rogue developer was banned. Which is a pretty good demonstration of why it's better than Android's system. With Android, all the malware that was ever created is still out there, still trapping the unwary.
Re: (Score:1)
"I, a free man, wish to enter into a contract which may or may not benefit me, but goddamit it's my choice and I'm the one making it."
"Thankfully, my masters have removed my free will and will decide for me what is good and what is not. Praise to my betters!"
Re: (Score:2)
So you don't use virus checkers or spam mail blocklists. Interesting.
Why was Windows mentioned? (Score:2)
While Android malware that masks itself as an antivirus for Google's platform is nothing new, and neither are ads in Android apps pushing malware, but putting the two together can certainly be effective. This is naturally a practice that Windows users are all too familiar with."
Ahh Slashdot! I guess Windows was mentioned in order to create a "me too" effect. That is, that Android is just like "any other" system; especially one that has been around for a while.
To put it better: Nothing new, which saves Android, right?
Apple users too..Nothing new here (Score:2, Interesting)
I'm never really sure why one scam virus scam manages to raise itself above others. but here is a link to some Apple suffering the same problem http://en.wikipedia.org/wiki/Mac_Defender [wikipedia.org] "The program appears in malicious links spread by search engine optimization poisoning on sites such as Google Image Search. When a user accesses such a malicious link, a fake scanning window appears, originally in the style of a Windows XP application, but later in the form of an "Apple-type interface". The program falsely
Difference is, mobile vs. PC (Score:2)
I'm never really sure why one scam virus scam manages to raise itself above others.
Because those things are well known in traditional computers, but less expected on mobile devices which are supposed to be more secure.
in-app ads (Score:2)
AdMob among others (Score:3)
Or is there a pool of third party company ready to give away software bits for that?
Yes. As explained in Google's article [android.com], each Android ad network distributes its library as a JAR file to include in a project.
Or is there a system-wide API provided by Google?
AdMob, a Google company, is one of the Android ad networks.
Great Value. Open source. Muliple Maufacturers. (Score:2)
Android users got scammed enough when they bought a fucking Android device.
It might seem like a scam, but you really do get great value smart phones at realistic prices(and choice). It achieves this by using an free open source OS, and providing a healthy ecosystem of manufactures. Its why 1.5 Million devices are sold daily http://www.engadget.com/2013/04/16/liveblog-google-eric-schmidt-at-dive-into-mobile-2013/ [engadget.com] "320 operators, 160 countries, 700,000 apps in the Play Store, and 1.5 million sales / activations of Android every single day. We'll cross a billion towards the end of th
Snake Oil Time (Score:1)
The phone has a slew of new features, including an improved 13-megapixel camera
More megapixels is not an improvement.
new software features and it responds to waves and gestures.
Not well according to reviews. Who is going to use them if they don't work reliably? It's the ultimate gimmick to say you can control something literally right in your hand with a wave. It requires more effort to wave than to drag a finger across the screen!
The "Pause video when eyes lose contact with screen" is the biggest softw
Shilling for free software (Score:2)
Re: (Score:1)
To understand what gets modded up on Slashdot, you have to see what's in the bandwagon that everyone has hopped onto. If it isn't in the bandwagon, then your criticisms will get modded up.
Bandwagon: Google, Android, Linux, GCC, Windows 7
Not in Bandwagon: Apple, iOS, Windows 8, CLANG, Nook, Yahoo, Bing, Windows Phone, Apple OS etc..
So my comments like: "I'd rather trust a dirty whore with telling me the truth, than to trust Google's advertising platforms such as GMail, Google Search, Google Calendar, Andrio
Ad blocking == security measure (Score:3)
Advertisers? Are you getting this?
You should be teaming up right now putting together a trusted and guarded source with a built-in regulated system that says "we will not annoy the user." It should be trusted and verifiable. The content of ads should be reviewed for various things.
Get your stuff organized and legitimized, advertisers, as I will stop blocking you.
Also, I have never seen malware on my phones or tablets. I wonder why...
You're using passives again (Score:2)
You should be teaming up right now putting together a trusted and guarded source
Guarded by whom?
with a built-in regulated system
Regulated by whom?
The content of ads should be reviewed for various things.
Reviewed by whom?
Look at all these constructions with passive participles. Your reliance on them leaves your proposal vague as to who is doing the guarding, regulating, and reviewing, when one of the big issues in mobile device security is who has the power to do the guarding, regulating, and reviewing.
Re: (Score:1)
It is amazing to see how people can handle so many advertisements. I always block ads and scripts from running, simply because I can't trust the advertising networks. They have shown repeatedly that they are willing to push malware. I also install a Host's file which does a good job at blocking ad's (I don't buy a platform that I can't install at least that).