When people start arguing terminology like this
you know they're avoiding dealing with the actual issue.
Malware doesn't exist on Android, Google says, but Potentially Harmful Applications™ do. That linguistic flip is one of many at play in the Chocolate Factory's Android security division, which has dumped various general infosec terms overboard. Lead Android engineer Adrian Ludwig told the RSA Conference in San Francisco today …
A former employer of mine that sold AV software was threatened with a lawsuit by a spyware pusher because its AV scanner, reasonably enough, labelled that company's software as spyware.
You'd think they'd be told to go to hell, but no:
The spyware publisher's argument was that their software wasn't spyware, it was a way of providing the user with ads that might be of interest to them... and in order to determine what would be of interest, this software had to record search terms and browsing history. And, they continued, because this was all in the EULA, which the user had clicked through (in order to install Flash/Firefox/Acrobat/UnRAR or something else that they bundled themselves with), it was consented to, and so could not be spyware...
And thus, the term "Potentially Unwanted Program" was born...
I suppose Google has to be careful about clearly condemning companies that gather large amounts of a user's personal data under assumed consent, but it is not in any way in the customer's interests to allow these things to persist on Android. Yes, Google does a legal version of the same thing, but at least customers know who Google is, and have some limited form of redress against it if they find that it's stepped over a line. Not so with the shadier spyware pushers...
“I regret that we use the word spyware. When we say it, we mean that it grabs too much data and sends it off the device. There is a profound difference between grabbing all your SMS, and grabbing all your installed apps to send off your device. It's often called 'aggressive advertising'.”
It's also called Google.
This post has been deleted by its author
Google's collective ego has grown large enough that it is warping space around it. This ought to go in the Bootnotes section or wherever El Reg is dumping its more tongue-in-cheek articles these days, not because of the reporting, but because I cannot imagine how anyone could get those things out with a straight face.
For example: "There is so much structure and connotation around the word malware that internally we don't use that word...That malware is increasing and most devices aren't protected is a myth.” Obviously, if there is no such thing as malware, it couldn't very well be on the rise, could it? Someone should have dumped a box of phones with older versions of Android on them and asked him to update the lot. A missed opportunity, to be sure, but perhaps it could be used in an encore presentation of this comedic performance.
they are burying their heads in the sand and going 'la la la' Shows how much they care about their users. Google are happy because Android allows them to harvest and sell their users data, they do not appear to care one bit about criminals using their technology to exploit their customers.
I think Google really are Microsoft, circa late 1990s. They've got the same lax attitudes to security, although much less excuse given how the last 20 years of computer history. And they've got the same arrogance, as the money rolls in and it looks like there's endless growth over the horizon still to do. Plus they've got the same attitude to leveraging their monopolies into growth in other areas - and seemingly (from their dealings with the EU) the same contempt for government regulation.
There's also the new factor of the vast quantities of data they hoover up, and how public and regulatory attitudes are evolving towards it.
But the big question that's yet to be answered is this. Do they have the same attitude to writing everything down that MS had? IBM fought off the anti-trust charges for years/decades. I guess you're less likely to put things in witing in paper memos, than to dash off an email. Whereas MS's email archives were a smoking gun, that meant they went down in the matter of a few years. The lawyers couldn't save them. I wonder if Google have learned from that? Or if they don't see themselvesa as doing anything wrong, so write stuff down anyway?
It'll be interesting to see their future. MS are a mostly reformed company now (or their monopoly gives them less power anyway). But their reputation is nowhere near recovering from the twin damage of the PC security nightmare of early XP and looking rapacious and evil. Vista didn't exactly help...
MS are a mostly reformed company now (or their monopoly gives them less power anyway)
Hmm, let's just say I reserve that judgement for now. I've dealt with MS since MS-DOS 2.00. Given what I have seen and what I have experienced myself I'm a couple of years away from investing any trust in this organisation. Leopard, spots etc..
They may be very well writing it down and emailing it. This article scratches the surface on how they are changing words and concept definitions to their own ends. This, given the nature of US law and lawyers, will change the landscape if they can pull it off. So, maybe they have learned something. It's like calling a Ponzi Scheme a "wonderful investment opportunity". We know what it is. They know what it is. The lawyers will fight it out.
Well, if I wasn't convinced already, I think this would do the trick: Google is determined to walk the same path as Microsoft did about 25 years ago - unfortunately, now we live in the age of widespread public internet availability, the stakes are much higher.
So I guess the big questions are: "Who's the next big thing going to come from, and what will it be?"
Let's hope - against all odds - that they're less evil than Google have turned out.
a spectacle of software abuse beyond compare
Umm, no, it takes a lot of work but you can get Windows to behave. Well, for a while anyway.
If you want software that matches your description I'd vote for most Adobe products, but they have as upside that you never actually agree to their T&Cs - the convoluted way they present them makes them eligible for the unfair contract terms provision on account that you have to go on a discovery tour to find the one that actually relates to the product you're installing.
Whilst every week there's another "story" about android malware, most of those stories emanate from companies that sell av products. I've had a dim view of them since one that approached me for investment offered to demonstrate how their av product picked up viruses the others missed. He wanted to install a virus on my PC to show me. When I asked where he got the virus the others could not detect he (eventually) admitted to having had it written for the purpose of showing how the others were flawed.
It is like 'Porn' we all know it when we see it, and there are many subcategories.
But pornographers like to have it classified differently so that can use legal loopholes, a bit like google.
We all know they are upto the same shit, but now they can re-classify their shenanigans as something else.
Hi all,
Google has to downplay the infection rates and the language because of the push on enterprise. And Apple had more things patched in their last update than Android has in the same period. Seems all the big players are being deliberately obtuse!
Now,I just read a very long thread at Malwarebytes about Android users with RANSOMWARE on their phones. The thread was only a few months or weeks old. I know it was fairly recent. And in an interview with Android Central,Ludwig said similar things when discussing the webview problem,which millions still have. HTC did a pretty good job of patching my Evo 4g lte. They fixed the four masterkey vulns,fake id,Heartbleed, and updated some apps. I do use Firefox and Chrome which are safe from Freak attack. And I am pretty sure that HTC fixed the Webview (one of them) problem if the test online is to be believed. But any Browsers that run on webview are screwed For Freak Attack. Oh ya,don't forget the research by Palo Alto network's,and the App highjacking malware vulnerability. With other vulns this one is probably the worst of them all.
So as a consequence,I am one of those with multiple security apps. I use Avast,because its free,and has a ton of other useful features. Very easy on the battery,and I think it actually helps manage battery usage. Because of their battery saver app,I think they incorporated some code.
Next up, OS Monitor ,which shows me app cpu usage, app connections with ip address' , and geolocates them. And other things like battery,charging,temperatures of phone. IPV 4 & 6 connections,and a log at the end of features.
Thirdly, Lostnet NO-ROOT firewall. This one is great,because it give you lots of control. $.99 Pro version does packet capture,and analysis at Cloudshark.com
It uses the native VPN to to filter all connections. No external servers involved. Also,least amount of permissions in its class,which is very small group right now.
And the fourth is Nowsecure app. El Reg wrote about them recently during the RSA Conference. This one tells me what apps are connecting to,like countries,and organizations. Tells you which apps and their connections are secure or not. Unfortunately,Avast is connecting over insecure http about 10%-15% of the time. For the most part,my phone is connecting over https about 86% globally.
And last but not least, Google's own security checks,which dutifully tells me ,or warns me that downloading apps like Disconnect Me,and Adgaurd will damage my device ;-)
And finally,I have uninstalled almost every app with a banner,except for apps that were preloaded. I have everything backed up,thanks to Commanders file manager. I used to have ES file Explorer,but there were too many bad things I found out about it,namely,it connects to Baidu for analytics,and over http no less. I always used two factor sign ins when offered. And practice safe browsing,never click links in Gmail,or elsewhere unless trusted. You get the idea, I don't trust Google or Android to keep me safe.
Reading that, I was immediately reminded of this snippet from the HHGTTG radio series:
"This problem taxed the minds, first of the cloning engineers, then of the priests, then of the letters page of ’The Sidereal Record Straigtener’, and finally of the lawyers, who experimented vainly with ways of redefining murder, re-evaluating it, and in the end, even respelling it, in the hope that no one would notice."
It would appear that The Chocolate Factory has it's collective head wedged thoroughly up it's collective arse.