What Security?
So Google will soon issue a fix for the vulns that allow this malware to infect Android devices, and in about two years about 50% of Android users will be on a release that includes the fix. Excellent.
Security researchers at Kaspersky Lab report that a recently discovered Android Trojan is the most sophisticated such mobile malware yet to be identified. In a post to Kaspersky Lab's Securelist blog, security expert Roman Unuchek describes the malicious program, dubbed Backdoor.AndroidOS.Obad.a or "Obad" for short, as being …
That is a valid point, and not just about Android.
It is high time that all devices with embedded software had a legal requirement to provide timely fixes for all notified security exploits for at least 5 years after purchase, along with proper financial penalties for the companies selling such devices that fail to do so.
Think of all of those phones, printers, routers and numerous other semi-smart devices that have a network connection and no one looking after them.
No need to worry, just a couple of weeks ago Google said security vulnerabilities should be addressed within seven days.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management. "
Well, that's good news, but what about people who have older phones that the individual phone manufacturers don't issue updates? Is a Samsung Galaxy I still vulnerable? How about a Droid?
While Google is making a good effort to patch issues like this, relatively quickly, the manufacturers, and sometimes carriers, still, and very often, have final say in an OS update.
On the Apple side of the house, more effort is placed into platform standardization. Right now, the only phone/s and devices that can't recieve the latest OS include the iPhone 1, and the iPhone 3G. These devices never had the horsepower to support multitasking that every other generation of iPhone had.
It would be adventagous to all Android customers and users if they could apply an update, directly from Google for a trojan like this. A trojan that has all this functionality can be a menace, and in a corporate environment would create some serious IT security issues.
What, and Android virus, malware on my Android phone!
I am incensed, this all is Apple propaganda, all lies, how dare they say this, it must be a Daily Mail story, someone is always ready to knock Android, these evil doers, nasty people who keep spreading such malicious lies and rumours .........
Interestingly in PC Advisor August 2013 page 14, the headline 'Laptop makers drop Windows 8 for Android'.
Well what a rip roaring fatally flawed platform you will be getting on your laptop. Yippee-ki-yay.
Kaspersky want to SELL you a malware solution for a problem that CANNOT exist. There is no means of any software installed with user priveledge gaining root access without manual user intervention.
These are desperate times for the anti-this and anti-that manufacturers. Even the latest iterations of Windoze are getting more secure, and MS's own, free anti-malware programs do the job better than these bogus third-party efforts. McAfee, Kaspersky and all the other snake-oil salesmen are rapidly going out of business, and these specious claims andmalicious lies are their final efforts to keep their businesses alive.
Actually, unlike Linux, Android is not vastly more secure than the alternatives for three obvious reasons:
(i) all software has vulnerabilities and the more complex, the more vulnerabilities;
(ii) Android is very popular and by definition very connected and therefore very valuable to criminal malware coders;
(iii) as stated above in detail, device manaufaturers are essentially negligent in their provision of timely updates to fix known Android vulnerabilities.
As for the idea that malware could not possibly gain root access without manual user intervention, that's just plain not true. One of the main ways of rooting a good number of Android devices involved exploiting a vulnerability in the OS. All the user would notice if this were malware would probably be the device rebooting unexpectedly - hardly an unknown occurrence with quite a lot of mobile devices.
Don't get me wrong - I love Android, it rocks compared to everything else widely available at the moment, but let's get real. And likewise I have no remit for the AV companies, especially when they make such obvious "BUY ME!" releases like this one from Kaspersky.
"unlike Linux, Android is not vastly more secure than the alternatives"
Actually Linux has one of the worst the worst security architectures and vulnerability counts of any current OS.
Look at exploit statistics for a market where Linux is actually used like Webservers, and you will see that you are far more likely to be exploited running Linux than say Windows Server or BSD...
That's funny!
In the real world I support PCs in homes and small businesses and I have only one recollection af a PC with Microsoft Security Essentials becoming infected, but I an continually dealing with PCs with McAfee, Norton, AVG and Avast that have become infected.
It's not an INDEPENDANT test just my experience.
"Kaspersky want to SELL you a malware solution for a problem that CANNOT exist. There is no means of any software installed with user priveledge gaining root access without manual user intervention."
And if a typical thick user stumbles across a website telling them they can have a pink pony dancing around on their lock screen by following a few steps, some will do it. Even if those steps are to give the app root control.
1) You need to install it in the first place (with all the permissions to donate all your bases to the app)
2) You need to specifically grant it the administrative privileges when it asks from you
So if you both you totally deserve it.
To have a resemblance with the windows malware one might want no work done on the behalf of the user, so that the trojan,/virus install on the machine by itself.
"So Google will soon issue a fix for the vulns that allow this malware to infect Android devices"
The only short term fix would be an upgrade to a secure OS with a chain of trust model like Windows Phone. Android is insecure and broken in so many ways due to it's Linux heritage that a simple fix is not possible....
There is no mention of how the malware gets into the system, from the article it appears that the virus must be "installed".
The article also doesn't mention how the virus gains "Device Administrator privilèges":
How did Kaspersky manage to find this well hidden, disguised virus.
How do they know it can connect to URLs, ping etc and yet not know the addresses that it pings, connects to.
).
To be honest just about any article about how a "security" company have "found" a really nasty virus/trojan etc. is completely lacking in any real detail about just how these things get onto your computer / phone / nuclear reactor controller.
I'm getting more and more suspicious that a lot of it is total and utter bullshit and why tech sites do not challenge the companies over the real details rather than just regurgitating their press release I do not know.
"I'm getting more and more suspicious that a lot of it is total and utter bullshit "
+1 - Especially when they don't mention anything (like the name of the app) that might prevent people downloading the trojan in the first place, just "buy my program now".
Also why didn't they report the name of the app to Google so they can remove it from the Play Store? That would stop 99% of people getting infected.
Much better for sales to say its a vulnerability, so anyone who hasn't updated their OS recently will buy AV...
Who says it was an app? Maybe it can be spread from an infected PC on the same network, or spread from an infected phone to other phones using the same AP, maybe you just have to visit the wrong website, or maybe visit the right website that unfortunately has a contract with the wrong ad provider.
There are a lot of ways for malware to spread beyond downloading dodgy apps. It's just that that's been such an easy path so far that malware writers haven't really had to try as hard. Sort of like how PC malware used to be spread by infected floppies and .exe attachments, and because that was so easy there was no reason to write something as complex as Stuxnet.
There are a lot of ways for malware to spread beyond downloading dodgy apps.
These ways are good for MS Windows mostly. With the allegedly huge amounts of Android malware (that very few people have ever seen) none gets on a device by automatically and without user explicitly installing it.
And.... it's a big non problem because:
1) you have to download and install the malware - which means you have to agree to the permissions it needs to run.
2) you have to enable Device Administrator support for it to be able to do anything bad to your device
3) You need to be rooted for it to be most effective.
The chances of 1 are admittedly higher for the "I will download everything I possibly can" crowd
The chances of 2 are pretty slim as the sort of people caught by step 1 - are not the sort of people who know about device administrator
and the chances are 3 are 0% because the sort of people who are rooted are not the sort of people who go out and download everything under the sun believing that everything will be sunshine and roses.
Finally - it does not use "previously unknown" vulnerabilities - it uses well known vulnerabilities.
The team that discovered this trojan also admit that because the code remains largely encrypted until it first makes contact with the C&C server - it makes it very difficult to analyse what it does and how it does it - in any great detail - which frankly - I find ludicrous to suggest - either stick it on a fresh device with a PAYG sim card or stick it on an emulator.
I don't think that's a problem restricted to Android users, you should see the S$5t the family yoof download onto just about every device they own and then ask me to fix when it all goes horribly wrong. They really get upset when I wipe the device and reload from scratch and ask for the backup, tease that I am.
>> you have to download and install the malware - which means you have to agree to the permissions it needs to run.
Quite, but how many people actually take any notice of, or understand, the permissions warning screen? After all, if you've downloaded <x>, it's because you already /want/ to run it - Android doesn't give you any option of "stop this application doing this, but it might compromise functionality", it's all or nothing, "install it or don't". Everyone I know, *myself included*, hits "install it". So all you need is something that people *want* to run, and you're on a load of devices.
Your issues 2 and 3 are largely moot because, once you have code running on a machine, you effectively have physical access. Privilege escalations are hardly unknown, after all, and Linux kernel + Android runtime provides a pretty large attack surface, especially given the likelihood of anything having been patched since the device left the factory.
The privileges are not granular enough. You don't have the option of installing an app with some privileges, so you either accept full access to SD card, or you do without the app -- No option to chroot an app to subfolder on the SD card, You either accept access to the camera or you do without the app -- no option for "ask me each time". This would also be useful with "services that cost money"
There is also, afaik, no log of which app invoked which privilege and when, so there is no auditing. So, in my experience, although I don't like it, the accept permissions step of most apps I'm interested in is pretty much just one more click you have to make.
The lack of control over permissions on Android does increasingly irritate me.
Especially when I'm using my Blackberry Z10 where I can say "actually this app can't use location services" but I'm ok with it reading stuff from my contact book" if I so want.
Why the hell android does not allow ME to control that I have no idea.
Not related to this trojan but since you are saying BB10 permissions are better
Have RIM fixed that little permission where you can't use the GPS hardware in the device without using location services and therefore agreeing to give them all your location data/wifi hotspots/gsm cells? That genuinely annoyed me when I got an Z10, its my hardware why can't I use GPS on its own.
That's what I always used to think on my stock android. I couldn't switch on the GPS without sending data to Google. No, not because it was using wifi to locate, that was disabled, I couldn't activate the GPS module on the phone without first agreeing to send "anonymous" data to google. (yeah, because a lat and lon with no other information would be so useful!)
So not a blackberry specific problem, one that occurs for users of Android handsets as well...
Isn't it high time Android moved to a model of rolling updates from a central (Google) server just like any other internet connected OS? The device customisation by manufacturers needs to be restricted to only self-contained device drivers, pre-installed apps and some UI appearance settings. It's crazy that you can still buy new devices that are stuck on OS versions from 1-2 years ago, given that the software is free. The latest generation of devices ought to have sufficient memory and storage available to handle a slow growing OS footprint.
I'd also like to know if any of the vulnerabilities are in the Linux kernel upon which Android is based.
Yes, that would be ideal for me, but alas the manufacturer and network pre - installed stuff is the main way HTC differentiate themselves from LG from Sony from Samsung. They all want to add their branding and app stores to thehandsets to get a bite of the recurring revenue not just the low margin hardware market or data carrier market
". They all want to add their branding and app stores to thehandsets to get a bite of the recurring revenue"
And then they wonder why they don't actually get any income. Who the f*** buys anything from the Samsung or HTC crapp stores? Who uses their mobile operators content portal? A tiny, tiny minority, because everybody uses iTunes or Play, or Amazon.
If the hardware makers want more money, then they should make their devices work better so that people will pay a bit more for them. DLNA is slow and sluggish in most implementations, involving deep menu dives on both devices. Tablets often struggle with simple tasks like printing. TV's are craply integrated with other media devices. Where's Jobs when you need him? He'd have made it work, and then everybody else could have learned how to do it.
Although even there, Apple showed how to manage a phone OS, and Google managed to ignore the important bit about central control and avoidance of fragmentation.
Android is open source, how exactly is Google supposed to force updates on Android phones? If they had code to do that, it would be among the first things Samsung removed in the process of building their own version to install on a GS4.
As for why Samsung doesn't do it, they've got a ton of different models, with more coming out every month. Even the models that use the same version of Android probably have different bits of customization in them, simply to patch existing versions to fix a security issue is probably a big job. Let alone taking a newer generic Android version from Google, adding back the customizations for their dozens of models, and then testing it to make sure their customizations didn't break anything when matched against the newer Android code. No wonder it is mostly only the high end Samsung models that get updates, and even then not in a particularly timely fashion.
So making an Android device to put your own storefront on it is doomed to failure, then you cite everyone buying from Amazon *cough*Kindle Fire*cough*?
"Where's Jobs when you need him? He'd have made it work, and then everybody else could have learned how to do it."
Funny how he failed to make these things work. I love how Apple fanatics now argue by simply *making up what Apple might do*, even though they haven't done it. Let me try it to: an Apple solution would only work with Apple devices. It would cost twice as much, lack basic functionality, sell less than the competition, but have a light up glow in dark logo and by hyped by the media before it even existed. Just like you are doing now.
The examples you list are precisely the things that Jobs and Apple don't do well. Just look at the mess we've got outselves into where so many audio devices only work with the minority of Apple phones or outdated ipods - my TV actually makes a far better audio sharing device, because it supports DLNA and USB, working with any hardware or platform.
Jobs' brilliance was due to his focus on esthetics and user interface, leaving the *how* to the grunts.
There are many stories of something being submitted to him, He'd play with it, then deamand, "Why doesn't it do this? Why can't I do that?"
When they'd tell him, "It doesn't work that way." or "that's not secure." , he'd throw it at them and demand that they bring it back when it "worked right".
Guess what? They brought it back meeting his demanding criteria, and still kept it mostly secure.
Jobs wasn't a computer genius, he was a people genius, in that he knew what the average joe on the street expected from a device.
It's Open Source, so manufacturers can and do what they like - and with Samsung selling 10s of millions a month, they're not going to change anytime soon.
I do agree though I wish there were more Nexus-like devices - perhaps we'll start to see this now (as with the new S4 announced running standard Android).
"The latest generation of devices ought to have sufficient memory and storage available to handle a slow growing OS footprint."
Possibly they don't though? My Galaxy Nexus is starting to be sluggish in areas, and it's still way better than the low end of new devices.
Since PRISM isn't on our devices the answer is fairly simple. Don't use anything that runs through American servers. i.e. route your connection over a VPN to some anti-American country and do not use any services provided by infringing companies (or any US companies).
While that country may be doing the same thing, at least they don't have the jurisdiction to arrest you on some fancy charge. Just make sure they don't have an extradition treaty, not that it'd be in their favour anyway.
Sounds like you are on the drugs. Seriously, you think that a very small number of infections by a dangerous trojan and a few other virus is the same as Win98's thousands upon thousands of infections. And Android at least has some notifications of what applications will do, Win98 had nothing. Android is not even beginning to look the same as Win98.
« In 98 most of this stuff was new. »
If by "this" stuff you mean things like access control and other security details designed to minimise the risk of Bad Things Happening, either maliciously or by inadvertence... I could swear all that was already a fairly well-known problem with which manufacturers of multi-user operating systems were familiar (which group at the time already included Microsoft, through its kind of unloved Unix ventures).
"Seriously, you think that a very small number of infections by a dangerous trojan and a few other virus is the same as Win98's thousands upon thousands of infections"
And you're forgetting that Win 98 only had a few, small infections at first as well.
It took several years for it to get to the point that there were thousands and thousands of infections. We're still in the early days of Android.
And as for Android's defenses? It alerts you to what permissions an app is asking for, and the only control you have at present is "yes or no" to all.
Android really needs a fine grained permissions control for apps, which it will at best only get a partial version, because Google needs its data.
I still want to know how many devices were infected that weren't rooted. I'm guessing the answer would be 0? The only thing I'm surprised at is that there aren't more infected smartphones (of any platform) that are basically allowing random apps to run as root (which was half the problem with Windows up until UAC).
Thing here is, the droid builds for rooted phones tend to let you perform post-install permission denial, either built in or by using an app like Permissions Denied. So, it can obviously be done. The only thing that prevents me from rooting my own devices is because I'd like to install Cyanogenmod or whatever distro, then re-lock the device under my own key.
Add the ability to root, mod, then re-lock, and I bet you'll slash the already small amount of Android virii out there.
Of course, if someone decides to enable downloads from unofficial sources (and let's see that code swapped to allow different 'official' app stores eh?), root the device, leave it open then go on a download binge from cracked-apk-downloads.com, you can't really blame the device or the system for that.
I use avast, mainly because I use it on the win laptop too and it integrates with it nicely. From there I can see the phone status, and also control it remotely if lost or stolen - to get it to report it's location, take a pic, get the new phone number if the sim is changed or do a full wipe etc.
On a more serious note, any recommended AV applications for an Android tablet?
I use the don't-run-rooted method of virus avoidance and it works pretty well. If you're worried about random apps nobbling your SMS messages or somesuch, the usual firms (such as Kaspersky, hoho) will sell you a security suite.
Advocates of Windows have long since argued that it is more prone to viruses because
(a) it has a bigger user base, so is a more attractive target
(b) it has a higher proportion of average (i.e. clueless) users who're more likely not to exercise proper caution
Android's woes on the security front do tend to support this argument. A Linux kernel probably isn't any safer if put in the hands of an idiot user than Windows. But the fragmented Android system for distributing security fixes is going to be the big killer.
"A Linux kernel probably isn't any safer if put in the hands of an idiot user than Windows"
People tend to forget, or don't know, that the NT kernel for windows actually has very robust security built in.
NT, Linux, BSD, whatever, the security of the kernel doesn't mean a hill of beans if what's layered on top of it ignores or circiumvents that security.
Breaking into and abusing any Windoze kernel is trivially easy (due to the stupid anti-security decisions made by William Gates back before he needed to shave). The faults in Windows persist right up to today.
Conversely, the Linux kernel has remained largely secure despite its massive installed base. It's the predominent internet OS - for servers of all kinds, routers and switches. Even Microsoft use it where Windows won't scale! Android is just a shiny desktop, and does nothing to compromise the basic kernel.
Kaspersky are just like all the others of their ilk - selling non-existent solutions for non-existent problems. (None of their "solutions" actually do anything useful)
Kaspersky, a company whose sole source of revenue is band-aids for shoddy Microsoft products, has been paid by Microsoft to distribute fearmongering about a platform that is rapidly eating into Microsoft's market share.
They may have even been paid by Microsoft to develop and distribute the trojan itself.
Wrong and wrong again: Microsoft don't have any market share in the mobile space to eat into. And with the patent royalties they receive on Android sales, they probably make more money from Android than Google does! So why would they pay someone to develop an anti Android trojan?
But anyhow. how come Android has exploitable security bugs? How many times have I read that open source software is inherently more secure because of the 'many eye balls on the code' factor - looks like some of those eye balls belong to the bad guys!
Please. Are you claiming Android has no known exploits? Everywhere knows it has security holes, just about all software of any significance does. The article even mentions that the malware uses several previously unknown exploits to do its dirty work.
Obviously Google will fix the ones they know about when they make a new release, but that really only helps the people on devices running stock Android who can and will update right after it is released. If Microsoft was able to make Windows 8.1 100% secure at release, there would still be Windows exploits out in the wild 10 years from now, because there will be a lot of people running something older than 8.1. And even Windows 8.1 machines would have security issues, because of all the third party software they might be running (Adobe, Java, etc.)
Are you claiming Android has no known exploits?
Does you question relate to all versions of Android throughout the whole time it is developed? Then -- no, even though Android hasn't yet given a single remote code execution vulnerability.
I am claiming that Android managed to avoid the issues of the MS Windows where sometimes (much more often in the past) you don't have to install a malware yourself. A user-friendly system, an ingenious OS feature or a vulnerability would do it for you when you
-- open an email
-- click on a link
-- visit a webpage
-- insert a media
-- open a document
It would often get spiced up by the fact that quite a few people had to run the system as administrator since so many apps wanted them to. In the meantime, Microsoft and all army of AV vendors urge you to never stop running antivirus software.
Kaspersky does try to stay ahead of things by proactively seeking potentially dangerous code, but it would be nice to know if there were any infecting apps discovered in app stores.
As for requiring security fixes for 5 years, all that would do is shift innovation to China as reputable, regulated manufacturers would slow development, investment, and number of available products while gray products would flourish.
Every wonder why cars, and in particular German cars, are so expensive? The requirement that every component be available for an absurd number of years is a good part of that. What happens when CE manufacturers are told they have to support code for devices well beyond their planned lifespan? The price has to go up to pay for all those bodies.
This comment has just scanned your system for viruses and malware
Results - 42 virsues and 53430 instances of malware. Not to mention your browsing habits are awful and possibly illegal.
Please report to the local government office or buy our Super Virus and Malware descannerizingutron software comes a free Malware free copy of Angry Birds! it only spams your email and scans your retinas every 30 seconds*
*Unpatched webcam required. Please leave computer on 24/7.
Secured by the National bank of Uganda and Cousin Benson