Maybe don't install that groovy pirated Android keyboard A mobile software developer has turned an popular third party Android mobile keyboard called SwiftKey into a counterfeit package loaded with a trojan as a warning about the perils of using pirated or cracked apps from back-street app stores. Georgie Casey, who runs a popular Android app-development blog in Ireland, created a …
Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play," writes Rik Ferguson, director of security research and communications at Trend Micro.
So there are many Android users living in blissful ignorance with a phone stuffed full of malware.
Unless Google Play address the problem it will get progressively worse.
It make Apples problems really insignificant in comparison.
"WP8 has zero security holes so far, and WP7 only a minor cert related one. IOS has had over 400 vulnerabilities now - not really on the same level...Windows Phone is highly secure."
You are an idiot. You use the term "so far" and then state "Windows Phone is highly secure" in the next sentence.
Can't you see how stupid that is?
"Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play," writes Rik Ferguson, director of security research and communications at Trend Micro."
Play probably only hosts these things for a short space of time what with Google's own virtualised testing and threat analysis, 3rd party AV efforts, and users able to report dodgy apps. And if a threat is found afterwards, Play also has a remote kill capability.
Exposure is probably minimal anyway.
One should really ask him/herself how this "scanning" is done? What is the algorithm to label an app "malicious"? Errors of the 1st and 2nd order, what about them? No magic algorithm exists and the numbers should be taken with a a great amount of skepticism.
Unless Google Play address the problem..
It's been addressed in the Android API already. It's called permissions transparency. Take, ths swiftkey keyboard example. It wants your sms, Internet access, phone communications . (While, another keyboard app, eg., hacker's keyboard, needs nothing of those!) Unheard of! It just doesn't call itself "fishy". One needs no keylogger malware with this one. The real problem is that it is really popular.
The only way I can see Google could improve on that is to put all potentially dangerous permissions, like reading identity, sms, Internet telecommunication, phone calls etc in flashing red font along with extra warnings and alarms when those are permissions are required.
Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play,
There are more than a few things suspicious about this story.
Why is it I can't find a list of these malicious apps found by Trend Micro anywhere?
Isn't Google Play supposed to remove these 68,740 apps as a violation of their TOS?
Is this an accurate account, or is this really an attempt for Trend Micro to scare people into installing their Android security apps?
Which BTW have sweeping permissions And after the 30-day trial Trend Micro Mobile Security costs you a whopping $29.99 (.£19.75).
Wow, look at all the AC's in this thread, it's a bang'n! All out OS ~security~ comparisons, marketing share comparisons, one of them even snuck Win8 into it!
Anyways, this kid has demonstrated that running code on a computer can do things. Don't get me wrong, I'm glad he wrote this application, we now have a name to associate to malware. If you get malware, e-mail this kid with your thoughts. Anyhow, maybe his next attention getter will be demonstrating how to wreck a car if it is moving.
"Which BTW have sweeping permissions And after the 30-day trial Trend Micro Mobile Security costs you a whopping $29.99 (.£19.75)."
@BillG: Yep, seems like FUD. I have the same thought, and that thought trumps all those "statistics". Also, I don't think you can find a list because all other malware scanners are part of that list! If you think about it, wouldn't they have to be detected as such due to their nature?
It was never " mooted as a selling point." I love how people just make shit up, the same applies to PS3 OtherOS, also something that was never promoted, suddenly has claims to be advertised as a feature (unless a single line mention in the handbook is now advertising...)
The other point is, yes, it gives you the freedom to do so, but not without first giving you a scary Malware warning that tells you that you are opening yourself up to Malware, and keyloggers and all sorts of other nasty shit.
So rather than these idiots trying to scare people into buying their virus "solution", the press should be highlighting those that encourage users to enable sideloading. Facebook and Amazon being the two biggest culprits.
Can't say for sure about Android, but PS3 OtherOS capability was advertised, if perhaps not heavily promoted, for the original and, I believe, first revision units. At least one company, whose name I don't recall at the moment, offered a PS3 with preinstalled Yellow Dog Linux for about the same as the combined price of the PS3 and the Yellow Dog installation media. I bought a PS3 for the BD player, as Sony adoption of Blue Ray appeared to presage the death of HD-DVD, and for the OtherOS feature. I have not upgraded the Sony firmware since they removed it (and will not do so), and eliminated Sony from my hardware candidate lists, especially after their action against George Hotz.
Given that Google play itself is filled with malware as well. I have downloaded at least three that my sophos home virus scanner & my android avast scanner have detected and killed. For the record they were the gangnum style type things (can't remember the app name)
Google play store is just as bad and should be treated with utmost care.
If I'm stuck only using the official Google store, my reason for going to Android becomes moot. It starts looking like that "walled garden" of Apple's that is supposed to be restricting my freedom so badly.
I thought the point of Android was freedom, and not being stuck with an involuntary walled garden. So now you are telling me to be safe I need a VOLUNTARY one? Make up your mind, walled gardens, bad or not? If you still can't leave a jail, does it matter if the door is locked or not?
You're not stuck using the Google Play store, but you accept that there are risks if you don't. If you aren't prepared to accept the risks, then really you should be in the walled garden (not a criticism or an insult - promise).
The trouble is this article suggests (and maybe right, I've not seen the quality of the original research) that while you may be taking fewer risks by sticking to the Google Play store you're still running a level of risk that you wouldn't be if you were using iOS or WinPho8.
To be clear, I'm not advocating the Apple/MS walled garden route as some panacea - nothing is perfect - but for many non-techies it's safer and more appropriate. For the average savvy punter on here though, the ability to understand the risks and consequences and positively accept them is a good place to be accepting also not to beef when you pick up some key logging from an obscure apps depository that you really shouldn't have used.
In the end the reason for going to Android is the same and doesn't change, but the way to approach the whole area of Apps and how/where you source them does change.
Valid point but i'll wager (myself included) those sheeple would rather the efforts be focused on stopping or helping to mitigate "attacks" like this....
If you cant trust the (goole, MS, Apple BB etc) company to provide you with clean, tested and approved software then we are all screwed...
"If you cant trust the (goole, MS, Apple BB etc) company to provide you with clean, tested and approved software then we are all screwed..."
I don't use any of the above, because I don't trust any of the above. Marketing doesn't provide clean, tested software ... rather, they sell whatever sells. And the sheeple slurp it up.
Sales doesn't equal "safe and secure". Never has, never will. Sheeple are sheeple.
Which phone?
The one at my elbow is an early 1950s Western Electric 500 rotary dial. The one in my shirt pocket is a Nokia 5185. My telephones are telephones, nothing more, nothing less. They make and receive telephone calls. That's it. I'm an old UNIX hacker ... one simple tool that does the required job, and I'm happy with it.
He just doesn't want to admit to being a Blackberry owner :)
What makes open source any more trustworthy? unless you validate the code and compile it yourself then it is no different to anything else, you're still trusting someone to be supplying you with a clean product.
It's almost like trying to buy drugs and wondering what you are getting and if the supplier is legit.
No, DrXym. I haven't lost anything.
I'm calling the vast majority of the unwashed masses "sheeple", because they follow the flock unthinkingly. They don't actually have a personal point of view, even if they are potentially capable of obtaining one. They follow the church, the political party, the ruling party, the computer company, etc., even in the face of reality that is obviously smacking their faith with cold, hard facts.
They have lost. Sad, that. And I'm totally fucking serious when it comes to this opinion.
If you think I've "lost" because of "thumbs" here on ElReg, you are deluded.
I'm not a surgeon? No? ::eyeballs DVM cert. hanging on wall[1]:: OK. If you say so ...
It takes more than one post to respond to more than one commentard. Kinda like trying to treat fatty tumors & thyroid issues in an old dog with a torn ACL and mange.
I want a version of Fitaly - kind'a. As it is, I use Fitaly on full-fat Windows touch devices, such as right now. For stylus or one-finger typing, it's a lot faster than the QWERTY layout, once you learn it. But about half the speed - for me - of typing on a good real keyboard. I assume that a tablet screenboard or skinnyboard is also less satisfactory than a real keyboard - and real keyboards presently very very quickly make my hands and wrists hurt like heck, so I need to use an alternative. Speech recognition is cute, but I'm a programmer so I have to write things like "SET @if_digest = N'IF ( ' + STR(@spdigest) + N' = 1 ) ' " which are, at best, tricky to say aloud.
Yes, if they are getting the pirated app from some dodgy website or a torrent, but they're downloading these from a Google app store!
If you walked into PC World and purchased a counterfeit product you would be pissed off, but it seems (according to you) that doing so from a Google app store is okay?
"Someone who wants to use the keyboard, but isn't given a more fine-grained option to deny certain permissions while proceeding with the rest, so just shrugs and allows everything."
Root and use lbe or pdroid combined with avast and adaway and all permission and snooping related issues are gone.
I rather like the swype beta keyboard, but buried in the smallprint of the terms of service was the fact that it reserved the right to monitor what you were doing for `testing and performance improvement`. Using lbe, I nipped that right in the bud, blocked its internet access and about 10 other snoopy little permissions it grants itself. And pray tell, why would a keyboard need fine (gps) location to do its job of transporting my prose into a textbox?
"Root and use lbe or pdroid combined with avast and adaway and all permission and snooping related issues are gone."
Sure, the average person is going to know that they need to do that and also how to do it.
I think it is fair to say that most people with a smartphone are not that technically orientated.
so what's the best way to have fine permission control on your phone that doesn't require rooting it?
"Sure, the average person is going to know that they need to do that and also how to do it.
I think it is fair to say that most people with a smartphone are not that technically orientated.
so what's the best way to have fine permission control on your phone that doesn't require rooting it?"
This is the problem, even looking at the permission list before installing isnt going to stop a non tech minded person installing that free ringtone maker. Most non-technical people i know with smartphones just install willy nilly, they dont even understand the concept of permissions, its just a screen of boring text to click through.
The snarky answer is that these people should either take responsibility and educate themselves or suffer the consequences.
Its the same with windows, i see so many machines with no av and with unpatched browsers laden with toolbars. The owners are stumped as to why their £600 machine goes so slow, they have no concept of malware, trojans etc, even after being told many times. To them its just an appliance.
This isnt just about Android either, Apple are no better, they just hide the permission system in a `what you cant see cant hurt you` kind of way. Yes, Apples app store is more locked down and thus potentially `safer`, but Android is where the real inovation and off the wall concepts are happening due to the low barrier`s of entry and lack of restrictions development wise.
I think the only solution is education, i love how open Android is and wouldnt want to see it go down the Apple closed ecosystem route because a load of numpty`s got pwned through their own lazy ignorance.
Maybe some people just shouldnt own smartphones. As a huge believer in the advantages of technology in daily life, that thought really depresses me.
One of Swiftkey's USPs is that you can feed it the logins for your email/facebook/twitter accounts and it will do a scan of everything you've written in the last few years to build a personalized predictive text database for you.
Not something I'd be comfortable allowing, but a couple of my less-paranoid mates swear by it.
But why do you think installing a software on a phone should be more secure than on any computer ??? Because MS, Apple or Google host them into a so-called Store ?!!! But this is not a guaranty of safety, only a guaranty for THEM to hold those apps and make business from them !
A software is simply a pack of instructions that someone (that you trust ?!) created and that you accept to execute on your phone/computer when you install/execute it !
People install every apps they get, they are kids in front of candies !, without wondering why some meaningless apps ask for so much permissions (GPS, contacts, accounts, running apps, change system settings (?!!!)), and so on...)... But that does not differs from all theses permissions that you have been giving for years to your computer's applications that you daily launch with administrator or root's permissions !!!
Wake up !
Google play houses 800,000 apps.
Google play housed 68,740 malicious apps.
So 8.6% of apps could be malicious in some way.
However it is incredibly easy to post apps on google play.
Malicious apps don't necessarily stay up for long.
Malicious apps rarely have a chance of getting noticed or found by a user as most apps have to develop a popularity to be easily found.
You would often have to either try to search for them knowingly or make a mistake with a search to find one. They often have misspelled or similar names to popular apps so that they actually have a chance of showing up. Similar to sending your bank details to a link on a spam email from an address such as security@hsbc.org.uk
Actually realistically accessing malicious apps from Google play is not a large scale issue. I don't trudge through 100,000 apps on Google play let alone trudge through the several hundred thousand required to get to the murky stuff at the bottom.
The original softkey keyboard app uses excessive permissions, which are presented to you when you install an app. It wants your network, sms and phone call capabilities. That is why it can be turned into a really bad app. It is already malicious or poorly written software. So judging from the permissions only, don't install it. Is there a way to know the permissions of your non-free windows/mac os x app prior to the install?
Yet, a better option is a secure repository with a good package manager, like apt, yum or similar
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
