Google: BadNews Malware Wasn't Really Bad, After All

chicksdaddy writes "When reports surfaced about 'BadNews,' a new family of mobile malware that affected Google Android devices the news sounded — well — bad. BadNews was described by Lookout Mobile Security as a new kind of mobile malware for the Android platform-one that harness mobile ad networks to push out malicious links, harvest information on compromised devices and more. Now, six weeks later, a senior member of Google's Android security team claims that BadNews wasn't really all that bad, after all. Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS 'toll fraud' malware."

And what else did you expect?

[Anonymous Coward]

This just in: Vendor claims malware isn't as bad as people say. Film at 11.

Did anyone really expect them to say different?

Re:

[OhSoLaMeow]

Now, come on. All Google is saying is that it isn't all BadNews ;-)

All malware is bad. Sure, it could be catastrophic, but it could also just serve as a trojan for other pieces of malware. This one doesn't turn out to be as bad as the press makes it sound (big surprise), and Google claims it isn't anything much to worry about (another big surprise). So we know that the truth lies somewhere in the middle.

Maybe if we told you the "bad" news in a "good" way...

Re:

[AliasMarlowe]

All Google is saying is that it isn't all BadNews

Or merely that it would be WorseNews if BadNews were VeryBadNews.

Re:

[Impy the Impiuos Imp]

This. The ball's back in the antivirus/security guy's court to put up or slink away as a hack.

Re:And what else did you expect?

[stephanruby]

Did anyone really expect them to say different?

I didn't.

The application asked for permission to send sms (and potentially cost you money).

It's not malware if it tells you exactly what it's going to do, and then does it with your explicit permission (not that it even did that since it was only a proof-of-concept app). It's only a malware app if someone else has temporary possession of your phone, plus its pin number, and then installs the application just to cause you harm without you knowing.

And this is actually nothing new to Android users.

Re:

[Anonymous Coward]

This is the biggest reason why I won't be moving to Android anytime soon. On iOS, it'll ask for permission when it needs to send something, and I can stop it. There are plenty of apps that require permissions that I only want to give access to occasionally. If an app wants access to my pictures, I tell it what pictures it can access. Same with contact information. Giving apps blanket access at install time is brain dead.

Re:

[DrXym]

The up front permissions is better than nothing but it's not good enough.

Android really needs to ask the user to grant / deny a permission each time it is accessed, with a checkbox to remember the decision. Some apps can be incredibly annoying, such as Facebook which is constantly turning on GPS which saps battery power. I should be able to disable that permission and force it to use a less precise location system or none at all. Another app might have a genuine need to launch the dialler, to call someone

Re:

[tangent3]

This just in: Anti-malware vendor claims malware is worse than it actually is. Film at 11.

Did anyone really expect them to say different?

but but but...

[ADRA]

How can we flame you if there's no story!! Wahh!

Re:

[Anonymous Coward]

Since when did reason ever get in the way of a good flame war?

Re:

[icebike]

How can we flame you if there's no story!! Wahh!

You can flame someone for jumping the gun perhaps?
With not a shred of evidence it appears that Lookout actually precipitated this stampede, and Google followed suit.

Always a potential vector.

[Darkness404]

Ad networks will always be a potential vector of infection and since many, if not most, apps on Google Play (and iOS) that are free will have ads from a major ad network, it means that any application can potentially give you malware with no fault of the application developers themselves.

Do they all hire the same marketing people?

[Anonymous Coward]

Often when there is a major security issue in a software product, there is a marketing that follows in the next few weeks saying it wasn't really as big a deal as the researchers originally claimed. Normally they state how the issues raised don't really apply in the real world. Often the phrase 'Threw cold water' is used. This is done as a distraction and PR exercise to deflect from the fact that the company does not wish to invest the time and effort into fixing the issue.

The IT press normally picks up

BadNews a ruse to sell more AV product?

[dgharmon]

`Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS 'toll fraud' malware."'

So it was just a ruse by the AV companies to sell more AV product ...

Re:

[lxs]

Yup. Also Google isn't sharing your email with NSA spies and their datacenters are patrolled by fairies on unicorns in search of rogue rainbows.

BadNews everyone!

[Culture20]

Malware wasn't really bad after all. Oh, my, yes. Plus I'm still in my pajamas.

You know... they're right.

[UltraZelda64]

I actually agree with them on this one. This malware wasn't as bad as the recent disclosure of Google's involvement in a top-secret U.S. Government mass surveillance program that has been going on for several years now.