Forgot your password?
typodupeerror
Android Security IT

Google Pulls 21 Malware Apps From Android Market 242

Posted by CmdrTaco
from the steve-jobs-is-laughing dept.
Hugh Pickens writes writes "CNN reports that Google has pulled 21 free apps from the Android Market that, according to the company, are aimed at gaining root access to the user's device, gathering a wide range of available data, and downloading more code without the user's knowledge. Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users. The apps are all pirated versions of popular games and utilities which once downloaded, root the user's device using a method like rageagainstthecage, then use an Android executable file (APK) to nab user and device data, such as your mobile provider and user ID, and finally act as a wide-open backdoor for your device to quietly download more malicious code. 'If you've downloaded one of these apps, it might be best to take your device to your carrier and exchange it for a new one, since you can't be sure that your device and user information is truly secure,' writes Jolie O'Dell. 'Considering how much we do on our phones — shopping and mobile banking included — it's better to take precautions.'"
This discussion has been archived. No new comments can be posted.

Google Pulls 21 Malware Apps From Android Market

Comments Filter:
  • Exchange (Score:5, Insightful)

    by Andy Smith (55346) on Wednesday March 02, 2011 @10:32AM (#35356456) Homepage

    "it might be best to take your device to your carrier and exchange it for a new one"

    Yeah good luck with that.

    • by goombah99 (560566)

      This advice reminds me of what became a solution rooted dells. TOss it and buy a new one. If you earn $100 and hour then yooooou cost your company about 2x in overhead. By the time you spend an hour diagnosing and 2 or 3 hours restoring your OS from scratch then you might as well have bought a more modern computer with the OS already installed.

      So apparently people now have to throw their cell phones out every time they lose confidence in them. Will we have to run Virus software on all android phones? Lo

      • by Joce640k (829181)

        Who earns $100 an hour...?

        • by slim (1652)

          You may not earn £100 for yourself, but your employer might bill your time with customers at £100/hour.

          • Re:Exchange (Score:4, Interesting)

            by tehcyder (746570) on Wednesday March 02, 2011 @11:38AM (#35357194) Journal

            You may not earn £100 for yourself, but your employer might bill your time with customers at £100/hour.

            If you're being charged out at £100/hour you are probably earning about a third of that, going by the professional rule of thumb of one third salary one third overheads and one third profit.. £33/hour is about £60K/year, which sounds more likely than £200K.

            Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

            • Re:Exchange (Score:4, Funny)

              by fidget42 (538823) on Wednesday March 02, 2011 @11:50AM (#35357322)

              Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

              The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

              • by erroneus (253617)

                Hookers don't get alimony and almost never get child support. It's not a "need" but more of a business decision.

              • by Bassman59 (519820)

                Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

                The sad part of that statement is that a programmer who earns $10M (I assumed you didn't mean milli) a year still has to get a hooker in order to meet women.

                Witness for the prosecution: Charlie Sheen, rich guy who uses hookers. Prosecution rests.

                BTW: in financial parlance, M indicates thousand, since it's an abbreviation of the Latin mille, which means "thousand." So the superstar programmer earning $10,000/yr? Yep!

                • by Duradin (1261418)

                  I call it the McCartney Equation. Take the cost of the relationship and divide by the number of days in that relationship. That is how much you could have spent on hookers per day and still broke even. (I think it worked out so that Sir Paul could have spent $5000 a day on hookers.)

                  If you went with a hooker every other day you could halve your expenses or get a higher quality hooker.

                  • by tftp (111690)

                    Take the cost of the relationship and divide by the number of days in that relationship.

                    There are other advantages of hookers. For example:

                    • "Pay as you go" rate that you agree to before the fact
                    • Excellent availability
                    • Infinite variety
                    • No infidelity issues
                    • No claims on your property
                    • No relatives
                    • No chores to do, no unwanted concerts to go to
                    • No children
                    • A hooker will never give you rat poison to get rid of you.

                    Some say that a hooker is more likely to give you an STD, but that only depends on what kind

            • Yes, I know everyone here on slashdot is a superstar programmer earning $10m + a year just in stock options, just think of us little guys as you're snorting cocaine off hookers' tits on one of your yachts.

              He's not a programmer, but other than that detail, you just described Charlie Sheen's life pretty closely.

            • Programmers acting like Charlie Sheen?? I don't think so.

        • Um, someone making $208K a year?

        • Few people "earn" $100 and hour, but I doubt you'll find a consultant (at least in my area, which is Central Ohio, not Silicon Valley) that will work for less than $100 an hour. The company I work for charges $175 an hour, and that's slightly above average for good work in my area. (We have a couple areas of specialty, such as SQL DBA work and VoIP expertise. We don't tend to do general PC support work, except on a few specific contracts where the customer requires it.) The real range is from about $100/hr
          • by hairyfeet (841228)

            Question: Why is it taking 3+ hours to do a simple wipe and reinstall? You just wipe the machine, put in a pre built OS install CD/DVD with all the patches already done, put in the key on first boot, install the apps from the local server or via flash drive, done. Maybe an hour and a half tops.

            Using a combination of WSUS Offline [wsusoffline.net] (which you can tell to include MS Office updates along with MS Essentials AV) and Ninite [ninite.com] I can whip off a dozen boxes or more a day easy and spend less time per box than I do tryin

            • I would hope that most denizens of /. are aware of the specific imaging technologies and techniques that your mentioned.

              The reason many MSPs are not using them is because of the cost of setup. It's easy to do a setup like that when the clients has 200 machines and they're all the same model. It's a bit tougher when the client has 15 machines and they all different makes and models.

              Now distribute that problem across 30 clients and suddenly the automata becomes much more difficult to maintain.

              Couple that with

  • by Anonymous Coward on Wednesday March 02, 2011 @10:33AM (#35356468)

    I keep reading stories about Android malware. Why does Android attract more malware than any other phone platform?

    I'm curious. It doesn't have the largest marketshare, so that argument is moot.

    • by clang_jangle (975789) on Wednesday March 02, 2011 @10:41AM (#35356554) Journal
      It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".
      • by Joce640k (829181)

        How exactly are they supposed to vet apps? Decompile them and analyse the code?

        • by tepples (727027)

          How exactly are they supposed to vet apps? Decompile them and analyse the code?

          That appears to be what Apple does, rejecting any app that calls an undocumented function name.

        • by netsharc (195805) on Wednesday March 02, 2011 @11:48AM (#35357310)

          How about just having a proper security system...

          BlackBerries ask you for each privileged task the app wants, whether you want to always allow that task, always deny, or prompt when the app needs it...

          • by StikyPad (445176)

            And how does that protect against a trojan, exactly? Depending on the app, there may be nothing at all suspicious about its request for elevated privileges.

          • by babblefrog (1013127) on Wednesday March 02, 2011 @01:45PM (#35358940)
            Android does that already, essentially. This particular malware exploited OS bugs that have been known about forever, bypassing the security system. They are already fixed in the latest version of Android. The problem is that Motorola, HTC, Samsung, AT&T, T-Mobile, Verizon, etc aren't letting you have the latest version of Android, because up until now they have had no incentive to push out new versions to handsets. If it were Microsoft leaving known vulnerabilities unpatched, they would rightly be raked over the coals, and these companies should be too!
      • by DrXym (126579)
        Oh I bet they do "vet" apps, in the sense that they undoubtedly run some kind of virus scanner / pattern matcher over them. They also have reporting tools for users who think apps are malicious.

        It won't catch everything of course. Neither would Apple either assuming someone anticipated how the process usually works and took steps to avoid it. e.g. it should be relatively trivial with cloud based apps to produce something that looks innocent and benign to an inspector looking at the client assembly code bu

      • by Mr_Silver (213637) on Wednesday March 02, 2011 @12:39PM (#35357972)

        It's a relatively open platform, which makes it easier to dupe users into installing trojans. The thing that troubles me is that google doesn't vet the apps before they're published, leaving a lot of users vulnerable. There's surely a better middle ground between "walled garden" and "wide open wild west".

        The other issue is that the way the application presents the security access it needs is, for the average user, completely confusing. You install an app and it gives you a list of 7 things it needs to do including things like "read phone state" and "access internet".

        For overly simple apps it may be possible for something like "access contacts data" to be picked up as nefarious by the end user - but in the vast majority of cases there is a long list of permissions and the users are given no real help in understanding what it all means. As such, they blindly accept what is presented to them because they don't understand what the phone is trying to tell them.

        (Hell, if I were to decline to install any apps where I didn't fully understand the access it was asking for I don't think I'd have anything installed on my device)

        In short, whilst you cannot stop stupidity, there are some pretty major flaws in the user experience which isn't exactly helping people.

      • by CastrTroy (595695)
        This just goes to prove that most users aren't sophisticated enough to do computing outside of a "walled garden". Sorry to say, but that's just the way it is. Sure many of us geeks on slashdot can handle it, but most users generally cannot. Which is why the general public love their video game consoles, iPhones, iPads, and other walled garden computing devices. Because it lets them use computers without having to think, and without having to worry about what applications might do hard to their computer.
    • by AHuxley (892839)
      Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?
      Android users are wealthy, creative, smart, well connected ect. and its 'worth' the code effort?
      Or is it "Windows" easy to make a "wide-open backdoor"?
      If this can be done in the wild, what can your gov do or contract to have done to your phone?
      • by slim (1652)

        Can we try the reverse of the Apple/Windows malware for the OS X desktop market share idea?

        No need to reverse it - Android has more market share than iOS, and it's growing.

        There are more Blackberries than either at the moment, though. I guess Blackberries are more tighly locked down, and their users typically don't install frivolous apps, since they are usually work assets.

    • Good question. I'm not sure how it works, but perhaps Android's developer registration makes it easy to anonymously create and publish the apps, whereas Apple's store is more picky about who and what is developed/distributed? Also, maybe the "open source" platform is easier to wire malicious code into.

    • by grapeape (137008)

      Its mostly open and unlike linux which has even with the best distro has an at least slight learning curve an android phone is pretty much just pick up and go. With the availability of Android phones on carriers from prepay and even free with contract and no vetting system for apps its a very easy and logical target for those wanting to do harm.

    • Simply: IOS is locked in. It has it's disadvantages, but also it's advantages. Presumably all software submitted is tested. It would be more difficult to get a virus through that.
      The disadvantages are discussed here enough.
      • by h4rr4r (612664)

        Too bad that testing does not work. They have had malware get into the market. This is not a simple problem to solve, you have unknown code with unknown inputs, how do you know what it does?

        And remember that code may act nice in a simulator or on known test devices, or until it is downloaded by 100k users.

    • Re: (Score:2, Insightful)

      by P. Legba (172072)

      That argument never made any sense anyway. If it did, Apache would receive the greater attention from the mal-intentioned than IIS, by far.

      The whole "there aren't viruses on the Mac because nobody cares about that platform" argument goes right along with it.

      • If it did, Apache would receive the greater attention from the mal-intentioned than IIS, by far.

        That argument assumes all attacks have the same intention. Notice Firefox has been getting more attention in recent months.

    • by alen (225700)

      easy for users to give permission and no one asks themselves why a wallpaper app needs root access. on iOS the phone is locked down and users can't give this access in the first place

  • Attention: (Score:5, Funny)

    by Anonymous Coward on Wednesday March 02, 2011 @10:34AM (#35356482)

    "Please use only the official Google applications for harvesting your personal information."

  • The apps are all pirated versions of popular games and utilities which once downloaded, root the user's device using a method like rageagainstthecage, then use an Android executable file (APK) to nab user and device data

    Not all of them are pirated versions of popular games, and most of them don't try to root your phone.

    • by Idbar (1034346)
      I have a game from their market called "slice-it". From time to time it tries to get root permissions for who knows what reason.
  • by jesseck (942036) on Wednesday March 02, 2011 @10:39AM (#35356536)
    The first link has a partial list (17) of the apps which were pulled- here is a full list of apps from publisher Myournet (from this site [androidpolice.com]: * Falling Down * Super Guitar Solo * Super History Eraser * Photo Editor * Super Ringtone Maker * Super Sex Positions * Hot Sexy Videos * Chess * _Falldown * Hilton Sex Sound * Screaming Sexy Japanese Girls * Falling Ball Dodge * Scientific Calculator * Dice Roller * * Advanced Currency Converter * App Uninstaller * _PewPew * Funny Paint * Spider Man *
    • FFS. I only have 2 market apps on my phone. One of them is Chess.. don't think I've actually run it yet, but this makes me want to not even try..

      • Is it still available in the android market? If so, it wasn't the app you installed, but another app that was malicious
      • There's more than one free app called Chess. If you've got the one by Aart Bik, I think you're OK - his site and his blog all indicate he's an on-the-square android dev working for Google.

    • by tehcyder (746570)

      The first link has a partial list (17) of the apps which were pulled- here is a full list of apps from publisher Myournet (from this site [androidpolice.com]: * Falling Down * Super Guitar Solo * Super History Eraser * Photo Editor * Super Ringtone Maker * Super Sex Positions * Hot Sexy Videos * Chess * _Falldown * Hilton Sex Sound * Screaming Sexy Japanese Girls * Falling Ball Dodge * Scientific Calculator * Dice Roller * * Advanced Currency Converter * App Uninstaller * _PewPew * Funny Paint * Spider Man *

      Neat, I've got all those!

  • I think I'll stick with my iPhone, four versions already and I haven't had to deal with crap like that. Call Apple the mother of all evils if you want but they at least work their ass off so you don't have to.
    • by _Sprocket_ (42527)
      Bully for you. I'll stick with my Android device. I knew this was a risk when I bought one and the relative freedom is well worth it.

      So should we give this horse corpse another few kicks or do you think we've gone about as far as we can go with it?

    • by bonch (38532)

      You don't understand. Android is based on Linux, and it's from Google--two of Slashdot's biggest loves. That automatically means it's the greatest thing ever and that no criticism is valid, and anyone who chooses an iPhone is brainwashed, dumb, trendy, and so on.

      Never mind that Android isn't open due to carrier control, its unit sales are only because it's on multiple phones and carriers and gets slapped onto every crappy low-tier smartphone out there (complete with unremovable junkware), and the user inter

  • So... (Score:4, Funny)

    by bhunachchicken (834243) on Wednesday March 02, 2011 @11:09AM (#35356866) Homepage

    "Unfortunately although Google has moved swiftly to remove the apps, they have already been downloaded by at least 50,000 Android users"

    Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

    • by drinkypoo (153816)

      Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

      In the case of trojans which open your machine and download additional code, it's not going to help you one bit. The damage is already done. Are there hidden rootkits for Android phones yet?

    • You can kill an app sure, but if these apps have rooted the phone - they could allow more stuff in :).

    • by owlstead (636356)

      "You've downloaded a malicious app. Do you want to delete this app [yes/no/more info]?" or
      "You've downloaded a malicious app. This app can be removed by downloading . Proceed [yes/no/more info]?"

      This works until the app has enough access to remove the counter measures taken by Google.

    • by tlhIngan (30335)

      Bet that remote kill and remove ability that some people were bitching about a few months back isn't looking like such a bad thing right now, is it?

      Which raises an interesting question. When Apple did it (as in, discussed the remote kill switch, they haven't actually had to use it), everyone went bat-shit crazy. When Amazon did it, ditto.

      When Google does it, it's good? Sure it may be for a good purpose, but the fact that it not only exists, but is used often enough.

      And hell, even Apple has a problem in that

  • "it might be best to take your device to your carrier and exchange it for a new one"

    Why can't you just factory reset it?

  • In light of this, perhaps Apple's app store policies are not quite as evil as they appear? I like open systems, and I like open source, but if it is a choice between a free-for-all where the managers of the trusted repository won't examine submitted apps vs. Apple's where one can be reasonably sure that every app is going to be safe, the iPhone looks like a safer bet for folks who install lots of apps.

  • As soon as an article about something like this hits the mainstream press, the damage is done from a marketing perspective. If Android (Marketplace) loses the trust of the users, Google may never be able to make it back up.

    This is the reason Apple does things the way they do. Sure, it's draconian, but remember that we're still hearing about the "death grip" issue every couple of months. If Apple allowed a single popular piece of malware into their Store, it would be news everywhere. Instead, Apple has been

  • Just the other day, Slashdot commenters were absolutely insisting [slashdot.org] that the only possible source of malware was 'untrusted' app stores. If only everyone got their apps from 'trusted' (read: "big corporate") websites then malware would never spread.

Life is difficult because it is non-linear.

Working...