back to article Tainted apps worm into official Android store

Dozens of tainted applications have been discovered on the official Android Market. More than 50 applications have been found to be infected with a new type of Android malware called DroidDream, an information stealer. Fraudsters repackaged legitimate apps (mostly games) so that they included malicious code before uploading …

COMMENTS

This topic is closed for new posts.
  1. The Fuzzy Wotnot
    Happy

    Cue Apple/Android fanboi fights in 3...2...1...

    ( *duck* )

  2. Anonymous Coward
    Coat

    This is news?

    Surely this has always been the risk with non-walled gardens?

    While apple's is hardly perfect, at least the risk of installing a dodgy app is significantly (but not totally) reduced.

    The droidbois always love to diss the Apple app store, but perhaps they should wait until they're got their own house in order first before the mud slinging.

    I'm hoping Google find an innovative solution to this, to prove that their app store concept is better in the long term. Because it's the one remaining barrier i have to moving to droid.

    1. sabroni Silver badge

      The news bit would be...

      ...that rather than just being a risk, this has actually happened?

    2. Richard Gadsden 1

      Isn't the point that this *is* the walled garden?

      Android has a walled garden - the official app store - but the garden-keepers got it wrong and let apps in that should not have been.

      You can choose to leave the walled garden on Android (and you can't on iPhone without jailbreaking) but this is inside the walls.

    3. dotdavid
      Jobs Halo

      I'd quite agree...

      ...except the Apple curated model also lets in new strains of malware now and again. Perhaps it's unlikely to be as much of a problem on Apple because the barriers are higher, but I think you need to be wary on any platform.

      After all the malware writers only need to be lucky once, whereas the AppStore guardians must be lucky all the time ;)

  3. Ted Treen
    Jobs Halo

    @Wotnot

    No fight - just a comment that had this happened on Apple's platform, we'd now be drowning from the surfeit of spittle-laden invective...

  4. pan2008

    hehe

    That’s why I don’t like Android and am using a windows phone 7. One of the few reasons anyway.

    1. doperative
      Linux

      Microsoft App Store ©

      > That’s why I don’t like Android and am using a windows phone 7. One of the few reasons anyway ..

      Seeing as the Microsoft App Store © will be immune to this kind of exploit .. heeeee

      1. dotdavid
        Gates Halo

        @dooperative

        "Seeing as the Microsoft App Store © will be immune to this kind of exploit .. heeeee"

        Well we can hope the scammers won't be able to afford the annual fee... maybe not ;)

      2. pan2008

        yes it is safer

        > That’s why I don’t like Android and am using a windows phone 7. One of the few reasons anyway ..

        >Seeing as the Microsoft App Store © will be immune to this kind of exploit .. heeeee

        Cause to register as a developer you have to pass all your details including a copy of your passport. So no passport no uploads into WP7. Apps are vetted by humans and updates to apps can happen automatically, so a bad app can be pulled with no much effort.

        1. Anonymous Coward
          Coat

          @ pan2008

          Is this true?

          Then the quality of the apps on the MS store should be excellent, and offer real peace of mind to the consumer. It's a good thing.

          Pity there will only be 3 applications on it, as all the Dev's reject the we-know-everything-about-you-now-sucker entry criteria...

          1. pan2008

            9000 apps at the moment

            @Anonymous Coward

            >Pity there will only be 3 applications on it, as all the Dev's reject the we-know-everything-about-> you-now-sucker entry criteria...

            .

            Well you may need to revise your counting skills then. Last time I've checked they were 9,000 apps. That's since October when it opened. Should be 40,000 by the end of the year.

            1. Anonymous Coward
              Joke

              @ pan2008

              Likewise, I'd recommend revising your humour skills. Everyone else saw the joke.

              9000 you say? How many of them are microsoft security patches though?

              (see I put I joke icon in, just so you'd definitely pick this one up).

    2. War Monger
      Paris Hilton

      @pan2008

      The only reason that I can think of that this would be less likely to happen on WinMo is down to market share.

  5. dotdavid
    Megaphone

    Kinda expected

    Don't get me wrong, I love my Android phone, but this is a fundamental problem with the open app store model. However I don't think it's insurmountable by Google.

    1) We need a better way of understanding app permissions. The current system is overly complex and most users (myself included) will just skip past them in most cases. Instead, why not have a permissions system where developers can annotate each permission with a description of why they think they need it. The Market could flag up a warning if an app doesn't have these permission descriptions, which would encourage devs to do it.

    2) Perhaps the Market could scan submitted apps on load and discover whether or not they have significantly different permission requirements to other apps in their group(s). Obviously this might not catch everything but it could flag the possible issue up to Google for them to investigate, and if they wanted to be extra safe they could make the Market display a warning to users that Google can switch off after investigation saying that the app may be unusual.

    There would have to be some further thought around how to cover cases where users submit an app that uses a dodgy permission but does nothing bad with it, waits for Google to investigate and clear the app, and then submits another version which does implement the exploit but I don't think that problem is insurmountable.

    3) Endpoint protection systems like Lookout and whatever the one that AVG bought are all well and good, but that sort of signature-based malware scanning could probably be more easily be done on Google's servers. It is relatively easy to disassemble APK files, why not have some kind of automatic scanning system on the server which periodically checks Market apps for known exploits?

    4) We need a better way of reporting potentially dodgy apps. The current "report this app" thing is all well and good but it should raise some kind of ticket which you can follow so you know that something is actually being done. These could all be auto-merged into one for each app if multiple people submit a ticket. There should also be some indication/warning when users download an app that has been reported as potentially malicious.

    5) Why not have a "verified by Google" symbol on apps? Might be a money-spinner for Google if devs pay to include their apps...

    I think the problem, as always, is that Google's development efforts are essentially random. Rather than implement better security they'll probably just spend time their time developing a new API for another random new and unused technology (*cough* NFC *cough*) and ignoring the bigger issues. And being an Android fanboi, I'm speaking from experience there... ;)

    1. TheRobster

      Well...

      it may be somewhat naive, but when I install an app from the marketplace, I do a cursory glance of what categories the app needs, internet access, phone status etc. If one of those categories is "Things which may cost you money" then it doesn't get installed.

      I know there are other ways to scam from phones, but this is the primary one.

      Also I did get the free antivirus.

      1. dotdavid
        Unhappy

        It's a start

        Alas that protects you from things like SMS scams, but not exploits or things that steal your personal information for fun and profit :(

        And the free antivirus programs are good but like their desktop counterparts they only protect you from old scams, not new ones.

    2. dssf

      Rate This...

      Google should know what we are using. They should have physical phones out there just running virtual users. When something amiss happens, they can know EXACTLY what pre-programmed behavious got a rogue app to reveal itself.

      We STILL need to have end-to-end monitoring and maybe an "out-of-band" type of pre-visit-setup that tips off Google to when something afould is running.

    3. heyrick Silver badge

      I wish Google would man up

      ...and allow us to allow/deny app permissions ourselves. A problem is full internet access is required for embedded adverts, but the same could be used for pushing out stolen data.

  6. dave 46

    Trust is given way too easily

    I don't trust apple or google to vet app store programs properly. There are too many, there's no money in it, and it's too difficult.

    I'd pay more for apps in a store that I *knew* were subject to vigerous quality control (no crashing, no dodgy behaviour, no incomplete features). I've been dissapointed with the quality of apps on both platforms so I certainly don't buy into apples vetting procedures anymore (they seem more concerned about protecting apples and the carriers markets than ensuring I get a quality product).

  7. Maliciously Crafted Packet

    Android coming of Age

    Far from being disappointed Android fans should be celebrating. This news means that Android can join Windows as being a proper grown up operating system.

    Unlike OS X & iOS both of which are virtually malware free and as such are kept by vested interests well away from the enterprise. Android's new found status as an insecure virus prone OS will enable the platform to be welcomed into corporate IT land with open arms.

    Think of all the network admins, security consultants and anti virus developers this will keep employed over the years. If history is anything to go by this is your ticket to 90 percent smartphone OS domination.

    Android fans rejoice.

  8. ijustwantaneasylife
    Stop

    Audit trails?

    I'm not saying this is the right answer, as I'm not (yet) an App developer, just an ordinary PC developer, but why can we not just implement some sort of simple API level audit trail.

    I think one of the other posters alluded to something similar - we just persuade Google to vet all calls to the API and do some basic analysis regarding the nature of the App and what it is actually doing to the phone/pad. If you're selling a game App that access the phone/text functions, that would surely signal a problem?

  9. My New Handle
    Pint

    Google pulled 'em

    According to reports it didn't take too long for Google to pull the offending apps from Market. Not only that but they also OTA removed the apps from affected handsets. Given the circumstances it seems that this action happened as fast as was reasonably possible.

    I don't think that this is time for the usual pissing contest to kick off. All systems can be infected by such malwares if the intentions are there. It doesn't have to come from the device's app store, it could equally be a web-based exploit or somesuch. There is no high ground, we're all in this together and would better turn our outrage against the Malware developers. Personally I would have their heads on pikes along Westminster Bridge.

  10. '); DROP TABLE comments; --
    Go

    Heads on pikes

    Now THERE's someone after my own heart. I myself would like to hang the fuckers but I'd be equally satisfied with your solution. Well done!

    Ch-CLICK...HOCK! HOOOOORRRRRAAAAAYYYYYYYY!!!!

This topic is closed for new posts.

Other stories you might like