High larious
Have fun with that.
While the mobile industry is still deciding if there's a market for two, three, or four smartphone operating systems, mobile malware writers have picked their target and are flocking to Android, according to the latest annual security report data from Juniper Networks. The company's Mobile Threat Center has analyzed nearly two …
It's like buying a car without seatbelts, you will be fine if you don't crash into anyone. What it cannot prevent is being crashed into by someone else.
Any other product would be recalled or fixed.
I wonder whether android was developed to boost income for the likes of Kaspersky, Trend Micro etc...
Just a thought.
Obviously a bit of a lack of reading comprehension going on here - along with a bit of scaremongering.
So to put into layman's terms the problem:
* If you choose to turn off the default security option to allow you to sideload apps
* and you choose to not load all your apps through the Google Play store
* and you choose to seek out apps that are pirated from an unknown site
* and you download an app from that site and go to install it
* and you don't have a free AV solution that detects it
* and it also passes Google's built in scan on later versions of android
* and you then read through the permission under the heading which is emphasised telling you that this app can cost you money and can send texts and make phone calls (bit unusual for a wallpaper, no?)
* and you then continue the install
* and you keep the app on your phone after you realise it is not the one you were expecting or is rubbish
then you are at risk from the malware mentioned in this report.
As you will see the problem is not quite as bad as it sounds.
If you think Google should not let you sideload apps and force you to use only the Play Store, then don't untick the box disallowing the loading of apps from non-Google Play store sources. If you really, just can't stop yourself unticking that box and you require the intervention of Google to make sure you don't untick it, then you have greater issues than malware.
And, you know, the people who go searching for pirated and cracked apps are also more liekly to be the ones who would jailbreak their iPhone so that they can load on pirated apps and encounter the same issues.
You're getting tedious ... why isn't this known as mobile malware as you do seem to choke on the word when it's that other platform?
"the traditional players in the PC malware industry were simply applying their methods to the mobile market"
Yep, it's PC malware when it's on the Windows platform ..
"Android's fragmentation was a point Tim Cook was keen to make earlier this month at WWDC"
For f**ksake, wouldn't fragmentation make it harder for the malware writers, same as fragmentation is negatively affecting the handset manufacturers?
--
'The [Tascudap] Trojan may arrive as a package with the following characteristics:
Package name: com.google.themes.provider`
I really shouldn't feed this but ...
"Yep, it's PC malware when it's on the Windows platform .."
That is because, rightly or wrongly, PC is shorthand for 'Consumer oriented Intel based machine running Windows'. No one calls a 'Mac' a 'PC' and no one (with any dignity) calls their Linux box a 'PC' either.
On fragmentation - fragmentation makes it easier to deploy malware because not everyone is running the latest and greatest version of the OS and people on older, less-capable versions are those most likely to end up at a dodgy app store offering cheap/free apps.
The Linux kernel itself has had a hell of lot less critical CVE lately for it than the POS Sunoracle joke JVM crap implementation. As for Dalvik I think its considerably less. Still I should have figured I was going to get down voted hard by all the butt hurt java developers who still think one of Java SE strengths is its security. Unbreakable my ass.
My Android phone arrived with malware pre-installed. So did the Win8 machines I hooked up the other day. And that's just what the manufacturers and carriers install. ALL the app stores are full of sketchy stuff. Almost as bad as warez sites. If you don't know what you're doing you're screwed no matter what.
I own a Nexus 4 because many aspects of Android make me more productive, but the app situation is a nightmare. I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever. Assuming it was in a padded case with a screen protector and someone was popping in every now again, I'd be very comfortable giving an iPad to a four year-old.
This is why I scream whenever people suggest that iOS gets the ability to switch default browser or mail client or keybord or whatever-it's a nice idea but Apple have all but said they can't find a way to make it work with acceptable security given their status as a mass-market company selling products to people who are a menace to themselves.
I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever.
Come on, one doesn't need a very high IQ nor a PhD to make sure
1) not to install outside of official Google Play
and, more importantly, use Android's own wall of defense by checking every time before installation that
2) app cannot place phone calls, nor send text messages, nor may cost you money.
And the other lines of defense. My Nexus4 offers to scan apps as soon as I try and sideload an app for the first time...
Seems this is the usual Android FUD financed by a company trying to sell snakeoil solutions. I vote with my wallet, and any security vendor playing FUD games is as bad as virus writers themselves.
Kaspersky Labs, looking at you. I won't be renewing, and I won't be recommending anymore either, due to your dodgy games.
'I would not recommend Android to anybody without a decent understanding of how computers and viruses work, ever.'
You've hit the nail on the head,
1. Android users really don't have a decent understanding of how computers and viruses work, hence the infections.
2. Apple users don't need to, because it just works.
3. Win phone users live in hope.
4. Blackberry users are easily conned.
This post has been deleted by its author
"... I'd be very comfortable giving an iPad to a four year-old."
To use real-world examples. I have never heard of anyone I know getting malware on an Android device.
I do personally know of two people whose children managed to run up very large in-app purchase bills on an iPad, in one playing session.
An app that sends a premium-rate text is a scam. An app that allows you to run up a bill of hundreds buying virtual gems or other such stuff, even in games targeted directly at kids is also, imho, a scam.
My mum's iPad was doing some very strange things (redirecting away from certain websites, refusing to update various things, chewing bandwidth etc). Eventually, I took her to the local Apple store where the assistant had a play with it for a while, and said "Well, I don't know what's wrong with it. Some programs seem to be corrupted, and others have had settings changed. I don't know what to do other than a factory reset." I pointed out that, if we were talking about Android or Windows, he'd be describing the likely results of a malware infection of some type, and (tongue strictly in cheek), wasn't there something like an antivirus or AdAware for Apple. I was rewarded with a look similar to what I would have received if I'd suggested that his father has carnal relations with camels whilst wearing unstylish clothes bearing the logo "I love Ballmer". "iOS does not have malware of any type!", he snapped, then proceeded to do a factory reset without asking whether there was anything that mum wanted to backup, losing quite a lot of photos she had saved, the spiteful twat.
TL:DR: I'm far from convinced by this notion that there isn't something that infects at least some of Apple's machinery, but no-one wants to admit it.
Don't be a dick.
Quite clearly if you use the Google Play store, you are safe. If you go shopping on Russian and Chinese "side-load" stores, then THAT'S when you are opening yourself to malware.
Guess what. If you jailbreak your iPhone and go shopping in similar iPhone warez sites, you get the same problems......
How is it "being a dick" to recommend people use free security software on their Android devices? Are you opposed to scanning new apps for malware? Are you opposed to being able to locate your device or wipe it remotely if you lose it or have it stolen?
It's free, at least if you use Avast or Lookout, and I haven't seen a performance hit with either of them. Seems like I'm not the one being the dick here.
Maybe because of crap supplier updates? It seems that most Huawei G300 users who've tried to install the Vodafone "upgrade" to ICS have found that it's totally buggered up their devices, so they've reverted (when they could).
I don't know the Android ecosystem well enough to know if this is typical, but it's certainly why my device is still on Gingerbread. And even though it's a cheap device, I'm not confident enough to risk any of the (probably very good) third-party ROMs.
Google Play is a joke. I realise checking apps is difficult but Google chose to set themselves up in business on this. Their Europe headquarters is in Dublin-if they offered jobs sifting through all the scamware at £6 an hour they'd have a queue of takers a hundred yards long. Not good enough. I own an Android phone and an iPad, but I barely have any apps on my phone besides repackaging of a couple of web services I trust.
The other problem is the level of scamware that needs to see my location, calendar, contacts list and the like. I appreciate that Google tells people about this when they select apps to install but that seems more like a copout-the options settings on my Nexus 4 for restricting what apps can look at are barely existent. It's like Google aren't just running a spyware company, they're enabling scamware all round.
I used to think the google was kind of innocent (or naive) and didn't deserve so much blame. However, these days I'm convinced they've gone EVIL (including the lobbying).
Having said that, the most obvious improvement to the store would be a 'financial model' tab. Google doesn't have to certify the information there, but they should give legitimate developers the option to prove their honesty. Fakers and scammers would still be there, but just the lack of proof would be powerful. Essentially the more the developer is willing to say about his financial model, and the more proof, then the more likely that is a safe app.
Let me try to to make it clear with an example. The developer's comment on the 'financial model' tab might say "This app is funded by advertising." Below that, there would be a section for google's comment, which might be "We have in fact paid significant advertising revenue to this developer" or "We have not paid any money to this developer over the last year." If you are comparing two apps, and one says "I earned $15,000 from this app" and the google confirms it, while another app has no such information, then you should regard the first app as much safer.
The author made the point that Google Play is ok. Its installing software from elsewhere that is a problem. Its the same problem on all phones, but Google are more inclined to allow you to do as you like.
For me, Google has two advantages - sync'ed email & contacts for desktop, mobile and web; and "download & save" for media. I can point it at port 80 on my home desktop/server and pull down a new ebook or mp3 without going to the study, connecting a USB cable, waiting for itunes to start (and sync), closing down iphoto. Searching for the downloaded file (assuming its been added to itunes) adding it to the sync list, click sync, wait for it to rummage through its database of stuff to do... Its just too hard and too slow.
I could also run up IMAP against a sync directory and sync to email, but that's just getting silly ;)
Maybe its just the old iphone I'm using, but my old work-provided galaxy S was far superior.
This post has been deleted by its author
Really...
Ok, let's look at it this way - why would there be as much effort as there is putting up other (less than reputable) stores and so much malware. People want apps as cheap as possible and will Google around (oh the irony) to find them. Being the most prevalent platform, with high levels of fragmentation and a broadly open architecture does make you a target - it's not just old vulnerabilities that made Windows a target you know.
It's good old supply and demand - not a tricky concept, dear boy....
Nobody needed to pay them - like most companies that have made similar announcements they conveniently just happen to have their own Android anti-malware solution for you to download. In this case it's called Junos Pulse and isn't going to gain momentum with its very poor reviews on Google Play unless they push it down our throats.
The article says:
"Apple does a really good job with checking apps," Michael Callahan, vice president of global security at Juniper told The Register. "Google does a good job with the Play store as well, but there are hundreds of third-party Android apps stores. They're enticing because you think 'I can get this app for free' and they don’t realize it's malware."
Why the hell do people think Google should be doing more to help combat malware for apps installed OUTSIDE of Google Play? You already have to specifically enable the option which is disabled by default, and there is on later versions of Android basic malware checking. Google should only be concerned with apps from the app store that they operate.
Those are two discrete problems with the same name. Windows malware tends to be installed without the user's knowledge and is then allowed access to look at all the user's data.
Android malware on the other hand warn the user that it'll look at your contacts, send SMS messages, make phone calls etc. The sand boxing means that one app isn't allowed to access another app's data (unless the data is stored on the SD), and certainly isn't allowed to modify other executables.
Have you seen the removal instructions for Android malware? "Go to Settings, Apps. Select app. Click remove". If there is a *real* security issue where an app that runs with elevated privileges, then I'll be pretty bloody annoyed.
Somebody used a seat belt analogy, mine has a light and an alarm if there's weight on the seat and the belt is plugged in - it's bloody annoying when I've shopping on the seat. However, it's up to me to make an educated guess on whether to heed that warning or not.
My major problem with android? Textareas are still buggy after so many years and sometimes online images aren't down in the stock email client.
Having said that though you really have to admire how thorough the malware writers are on Android. You can find malware packaged into just about every single type of application.
Friend of mine had his phone compromised after installing an SSH client if I recall correctly.
It's not just your usual free games and whatever other equivalent there is to free mouse pointers and screen savers on Windows. Plus some of the malware actually make use of zero day exploits in order to circumvent security prompts and the like.
This is really the price to pay though once your operating system becomes popular. Apple gets away with it for most part thanks to their ludicrous app screening process.
So a bunch of sites for pirated applications had a large amount of malware-infested apks uploaded to them. Are people actually downloading them? They get what they deserve, especially since Android tells you that an application has permissions to send SMS under a large heading that says "services that cost you money."
The article states "Apple users will typically only go to the official store for apps." I'd imagine this is true for Android users as well. Do the same researchers go to pirate websites to determine the state of Windows malware?
@doctor dodongo: " Do the same researchers go to pirate websites to determine the state of Windows malware?"
Given that such websites are one of, if not the, primary vectors for delivering Windows malware, I would assume they do.
As to the permissions thing, yes people download them and don't bother reading or ever attempting to understand what permissions they're granting apps. This has been known for decades and should be no surprise to anyone. It's why allowing apps to basically do whatever the heck they like as long as they can persuade a user to click-through some boring permissions screen is a fundamentally poor design for a Smartphone OS, given the abundance of obvious revenue streams for malware (premium rate phone calls/SMS, contact harvesting, built in payment mechanisms etc.)
It's why allowing apps to basically do whatever the heck they like as long as they can persuade a user to click-through some boring permissions screen is a fundamentally poor design for a Smartphone OS
Wow, how then you'd characterize the design of Windows OS, where
1) an app is not put in any sandbox, i.e., in the isolated environment, unless the developer wants it
2) noway to see what an app can do before installing the binary
3) no secure repos, like in the Linux and *BSD world.
Let's forget the multiuser implementation of XP, where you had to be an admin to run many userland apps.
Users probably don't check the permissions because they're so broad as to be almost useless, and now that everything has to be "social" [b]most[/b] apps want permission to access the internet, contacts, send SMS, send email, etc just so that you can "share" everything should you really want to. The best changes Google could make would be to make the permissions more granular, and even better give the user some kind of "ask me each time" option rather than just have to agree to everything.
>> They get what they deserve, especially since Android tells you that an application has
>> permissions to send SMS under a large heading that says "services that cost you money."
The problem is 3-fold, and categorising those affected as being somehow "deserving" is both condescending and hideously unfair.
1 - Pretty much *every* application demands a raft of permissions. As a user, you have no way of knowing *why* they are demanding those permissions, or what, exactly, the application will do with them.
2 - The user (self included) wants to run the application (it's why he / she has downloaded it in the first place, doesn't necessarily understand what the permissions mean, and is already used to simply clicking through without thought (see 1 above). So they simply click through without thought.
3 - Android doesn't give any option of "install this app, but disallow this subset of the permissions it's asking for". It's either "install the app, and give it what it wants", or "don't install the app". And the user, as previously noted, /wants/ to install the app.
I would imagine that the percentage of apps which fail to be installed at the point they've hit the "wants these permissions" screen of the installer is vanishingly small. Android's "wants these permissions" thing is far to little, and potentially worse than the "do nothing" option.
Even Facebook's app wants to be able to dial the phone "stuff that costs you money". Why?
Probably to allow the app to start a call with someone direct from your facebook "friends list" - I don't use facebook but from what I read about it trying to import as many address books as it can see then it probably stores phone numbers and as they want you to stay in their app they are probably going to have a method to find someone in the contacts list in the app and call them rather than leaving the app an going to the android contacts or having to write the number down and dial it manually.
It's so they can install Facebook Home without asking for additional permissions on that app. Home lets Facebook do all sorts of things to the Android lock screen, but it's built off the Facebook application - you need both (obviously).
FB had a choice between:
1. asking users to install a brand new application with all sorts of 'cost you money' options built-in.
2. asking users to install a new app with no permissions required at all, but update the existing app which everyone already had with all the new 'options'.
Guess which option they chose? I stopped updating FB when that happened, and I get reminded to update every so often, but my phone doesn't even support Home so why on earth would I want to enable text messaging?!
Makes me a little cross...
They count malware and "suspicious" apps in hundreds of thousands very rarely telling you what they are. Where is a database similar to the Windows database? Okay, let us get some information about every single one of them. Put them on the website etc.
On the other hand, it is a matter of good pedagogy to let you get a bad thing after you were lazy or stupid to care that that game you installed could make calls, send text msgs and cost you money.
Only stupid/careless people get malware on their droids. I have had an Android since the Galaxy 1 and I have never had a malware or virus. It's a little thing called being aware. If a "free" app looks to good to be true then guess what... it probably is.
This however is nothing new, for as long as there are sites offering cracked software/apps to people for free, there will be people injecting nasties into said "free software".
I know it was said that Play store apps were ok but even those get treated with suspicion by me if the permissions are unrealistic. In my mind a lot of games and apps should need very little to no permissions to my phone and as such many of the "free" games and apps get passed over for this very reason.
Use a bit of common sense people and you will be fine..... oh wait... it's not that common anymore is it.
Lets try that again.
Use a bit of uncommon sense people and you will be fine.
Hmmm, no sign of Eadon. If this was Microsoft he would be talking about MICROSOFT FAIL and how open source is better.
Well Android is open source, so why is there malware? oh, it's the dominant platform that's why :)
If you are going to the trouble of creating software to steal money you go for the most popular platform to maximise returns. But also Android is generally less locked down.
I've ran Windows, Linux and OSX, been generally careful and not been infected yet. Just got my first Android phone and don't imagine I will get caught out there either.
"iOS users look smug, but with reason this time" Why?
You can't be smug owning a device that someone else owns; isheeple just rent the shite from Apple.
iOS owners need mothered and cannot be relied upon to look after their own cyber security!
Like any net user, droid owners need to take care. Of course Google should be doing more to protect the image of droid.
Not that I use either of those "commoner" options.
Oh sorry, I get it now.
It's a PR problem, nothing more.
There aren't that many companies who require a set a level of intelligence to use their consumer focused offerings, but I see now that Android should be restricted to Technical folk a-la the Linux desktop.
IOS, WinPhone and Berry users would see the what you describe as mothering as being delivered a less risky more polished delivery of what in the end shouldn't be a visibly "IT" platform.
Why is it that any argument that suggests any FOSS has any sort of issue always ends up being closed by freetards claiming the problem is pig ignorant unwashed stupid users. :-(
I think Google expects you to throw away any old devices that can't be upgraded to the latest version of the OS. Even if your phone/tab can be updated you could wait a year for this to happen as I have just done with Galaxy S2. In Android there seems to be no such thing as patches for security or bug fix. But then you get what you pay for.
I have a love-hate relationship with Android. It's great when it works and I can do all sorts of things, some that I couldn't do with an iPhone - but the more clever things I do the more likely it is that something will go wrong and make the phone unusable. And I don't mean rooting, just running apps from the Play Store.
Does anyone actually know someone who has malware on an android device? I mean windows is "infested" with malware/viruses and the only virus I had in 1992 was the halloween virus which stopped my pc booting on halloween (Thanks unnamed PC magazine, that gift floppy on the cover was trusted damn you!)
I downloaded a photoeditor app last month and as soon as I used it, realised it was stuffed full of ads!
I uninstalled it immediately. But didn't realise I was supposed to power cycle the phone.
The result I got billed for £15 over two premium rate numbers over a week.
Three only could tell me who these two companies were. No money back.... :(
Damn annoyed that I have no control or recourse...