1.2% of Apps On Google Play Are Repackaged To Deliver Ads, Collect Info

An anonymous reader writes "Not a month goes by without security researchers finding new malicious apps on Google Play. According to BitDefender, more than one percent of 420,000+ analyzed apps offered on Google's official Android store are repackaged versions of legitimate apps. In the long run, their existence hurts the users, the legitimate developers, and Google's reputation in general. Google Play has recently surpassed the one million mark when it comes to the apps it offers, and the researchers have analyzed a good chunk of the total in order to discover just how many are hiding their true nature."

F-Droid, FTW

[Anonymous Coward]

F-Droid is the open source store. Pleanty of good apps there that do just about anything you'd need an app to do, for free as in beer and free as in speach.

https://f-droid.org/ [f-droid.org]

Re:F-Droid, FTW

[Nerdfest]

Many of us don't need FaceBook or NetFlix. F-Droid is great, and there's actually a lot of stuff that's actually on both. Wonder if some of the Play versions are included in some of the adware-added nstuff they're talking about ...

Anyway, it's damn nice to have options. I realize Google bashing is the funded topic these days, but I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

Re:

[N0Man74]

I wonder if anyone's done an analysys of the Amazon app store for the same sort of thing.

I haven't heard of a specific study on apps, but I have read about how the eBook side is highly saturated with people selling low quality bundles and repackaging of free and public domain works in order to make a quick buck. Given how little quality control there appears to be on the eBook side of things (and books are much part of the core of Amazon than apps) I doubt they fare any better on apps.

Openness does have it's disadvantages.

It isn't just the re-bundles. When there is a popular iOS only app, I h

Re:

[mrchaotica]

That's a feature, not a bug.

Re:

[shentino]

netflix is allergic to open source, not the other way around.

Re:

[Anonymous Coward]

Of course they are. They rely on contracts with content providers. No sane content provider will contract with NetFlix if NetFlix can't say that they do their best to make sure the content cannot be extracted and copied. If it was open source it would be easy to extract and copy - simply compile a modified version that saves every stream. That would not fly very well. They have no choice in the matter.

Re:

[mlts]

That's a bad thing?

Re:

[miroku000]

The "F" in F-Droid stands for Free. That's not what I was thinking it stood for at first...

Re:

[NightWhistler]

F-Droid is pretty awesome... they audit every app in there to make sure it doesn't contain any malware, etc... it's the best example I know of the "have someone you trust check the software for you" principle of Open Source.

The downside is that they tend to lag behind... I've had angry users asking why the version of my app on F-droid didn't have the same features as the one on Google Play, thinking I'd crippled it for commercial purposes when in fact they were simply lagging a couple of versions behind.

Re:

[xorsyst]

If F-Droid want to actually make an impact on the Android userbase, the home page needs to have instructions on how to install the damn thing! I know what I'm doing, but most people just install stuff from google play. If they follow this link and click the "install" link, they get an apk download and no help. This is not very useful.

Powered by Donations

[krischik]

You really think that works? I sell Android Open Source by the GPL rules: legitimate customers can request the source code — but nobody ever does. I do mention it. It is not a hidden secrete. Still no one is interested.

And on the other side I don't expect donation to flow in if I used that site. Once the average user has his App he is not interested either in source or donations.

I for one continue to use the GPL allowance to sell the binary and only give away bare source for fee.

Irrelevant

[Russ1642]

The total number of apps doesn't matter. The only stats worth anything involve the number of apps that are actually downloaded and run. There are thousands of useless or malware infested apps out there but are people really using them?

Re:

[Anonymous Coward]

As someone who gets stuck helping people with cheap, crappy android phones.
Yes. Quite a bit. There is a lot of garbage on the play store that's pretty much designed to siphon up your info and spam you with ads in app and out of app. The purveyors of such garbage are good at SEOing and shilling up their crapware to the top of the lists too.

I don't see this sort of shit with iphone users.

Re:

[Neuroelectronic]

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Re:

[coinreturn]

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Just plain wrong. You are either a liar or inept.

Re:

[gmhowell]

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Just plain wrong. You are either a liar or inept.

Not mutually exclusive.

Re:

[L4t3r4lu5]

Because the only way to find an app on the iShit interface is by name, a name your friend told you, then you can't find it because the search doesn't actually give any relevancy points for exactly matching what you typed.

Just plain wrong. You are either a liar or inept.

Not mutually exclusive.

OR != XOR

Re:

[thetoadwarrior]

A butt hurt fandroid in this submission? That's unexpected.

Re:

[JLennox]

Complete control over a platform isn't justified by non-techies not knowing any better.

Apple owes everything to that not being a pre-existing model to computers.

Re:

[Anonymous Coward]

Define justified.

As far as Apple is concerned, their bank account balance justifies their decisions.

I'm not an apple fanboy by any means (my phone is a Samsung), but there are certain benefits to Apple's approach (not that I agree with it).

Re:

[ADRA]

I don't see this type of shit ever. Examples please.

Re:Irrelevant

[fermion]

It does matter because Google Play is supposed to be the walled garden. It doesn't matter that 99% of the people in the school yard are supposed to be there, all it takes is few to turn the school yard into chaos.

It also matters to the developers who wants to make a profit. If someone else can repackage your app and place it on the preeminent platform for Android Apps in exchange for ad revenue, that is bad. It also hurts the reputation of the original developer if that app is violating real of perceived privacy expectations.

This is different from script kiddie or organized crime putting a pirated App on some open repository to be nice or steal identities. This is Google Play. People use it instead of more open repositories because they expect a level of security.

Re:

[mlts]

I have mentioned this before, but Google needs to section off its store. One tier being the existing, "well, if not banned, it is allowed" free-for-all (which is a good thing for savvy users), but Google needs to have a tier similar to Amazon's store. Approval is a must, brutal approval guidelines, and no mercy with the banhammer.

This strategy has worked amazingly well for Apple. iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism. However, because the on

Re:Irrelevant

[immaterial]

iOS can be argued to be less secure than Android because the entire OS depends on the jail mechanism.

What does this sentence mean? From context it looks like you're saying the only form of security on iOS is Apple's App Store approval system, but that's obviously false. Every app is sandboxed (no access to the system or other apps) and must request specific permission for privileged data (location/contacts/photos/calendars/etc.).

Re:

[interkin3tic]

Google play is supposed to be the walled garden? Since when? I thought people who wanted to exchange freedom for security were all on itunes.

Re:

[BasilBrush]

There are thousands of useless or malware infested apps out there but are people really using them?

Even if no one downloaded a single one of them, they would decrease the signal to noise ratio of the store.

So there's really no excusing them.

Re:

[kermidge]

Or more to the point, the number of apps downed and used that do what they say they will and not something other, as distinct from any other apps downed and used. Given the history of the PC since IBM-clone days, I'd be unsurprised at a significant percentage of bogus apps being used. (Didja ever see the real-life pic of an instance of IE with toolbars takiing up the top half of the screen? Feature that, and the millions of people who did similar - not to that extent, of course, but the utilities, rafts

How many downloads?

[Fwipp]

How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.

Re:

[TWX]

When any application that has no need for Internet access but wants it anyway, it's very hard to avoid it.

Last time I went looking for something as simple as a flash manual switch to use as a flashlight, it took digging through multiple apps to finally find one that didn't want Internet access.

Re:

[FatdogHaiku]

But... what if your flashlight needs an important update to help keep it secure on the internet?

Re:

[kbrannen]

Yes, I went thru that last week. My Nexus 5 didn't have a flashlight app, so I had to go find one. It took like 6 tries to find a flashlight app that didn't require network access, my email, or something else it didn't need. I mean really, if I'm fumbling to find a door lock in the dark, am I really going to be looking at an ad on my phone at the same time?

Re:

[Anonymous Coward]

https://f-droid.org/repository/browse/?fdfilter=flashlight&fdid=com.scottmain.android.searchlight [f-droid.org]

Re:

[BasilBrush]

The paradox of choice. Having a choice of apps in a particular category is actually detrimental to the user, when a significant number of them are bad choices.

Choice is no substitute for quality control.

Re:

[gstoddart]

Last time I went looking for something as simple as a flash manual switch to use as a flashlight, it took digging through multiple apps to finally find one that didn't want Internet access.

Indeed. My first steps after downloading a new app is to put the device into airplane mode and run it.

If it needs internet connection for something, it gets binned immediately. Especially for something which has no legitimate need for any network access (like a flashlight and most games).

So many of them start up and imm

Re:

[GTRacer]

... Now that I'm done picking my jaw up off the floor I think I'm going to try this with the apps I already have.

That said, I've taken great pains to only install apps with a decent critical mass of reviews or trustable endorsements. And I pay rather than get the "free" versions so I don't risk ad-network attacks.

Re:

[bickerdyke]

Why install it at all and not just bin it as soon it wants internet access?

Either you have that problem on iThings too or you're ignoring the pre-install permission list on Android for some unknwon reason.

Re:

[BasilBrush]

Either you have that problem on iThings too or you're ignoring the pre-install permission list on Android for some unknwon reason.

The situation is not the same on iOS, as there is an app approval process. And there's also a process to remove apps from the store if they are subsequently discovered to be malware.

On Android, there is no central authority to approve or remove apps.

Re:

[goose-incarnated]

Maybe it's just my phone (Huawei P6), but it informs me when an app tries to (for example) read my contacts the first time. Then I get to decide whether to allow the app to do that or not.

My S3 never did that, though, so I'm not sure if it's just this one phone or if it is all the newer androids.

Re:

[RenderSeven]

Exactly. The must be a good 50 flashlight apps but I cant find a single one that doesnt run ads or need dubious privileges. I even started with highest price ones first and they still want too much info. (If you know of one please let me know). But very common to want my phone book, ability to place calls, access the GPS location, modify SD card contents, and so on.

Sometimes its explainable - I install GPS Status paid version, and when it asked for full network access I emailed the dev, and he answered qui

Re:

[FictionPimp]

I use Nexus Flashlight. It requires access to the camera, and the ability to keep your phone from going to sleep. Nothing else.

Re:

[RenderSeven]

EXCELLENT! You made my day.

Re:

[TWX]

If that one gives you issues, I use "LED Light". It doesn't list the Samsung Galaxy SII (T-Mobile version) as on the supported devices list, but it seems to work fine. Only annoyance is that it doesn't completely close on exit and I have to go exit its process, but how little I use it, I can accept that.

Re:

[kbrannen]

I finally found "Flashlight", by Devesh Parekh. It requires no perms and just turns your whole screen bright white; hit the back button to turn it off. Really simple and it fits the needs, even if you don't have a camera flash.

Re:

[mlts]

To help mitigate things with dodgy apps, I use Droidwall configured to block by default. Droidwall needs a facelift, but it is a decent front end for iptables.

Android needs to keep its permission model, but add additional permissions similar to iOS 6+ where when the first time an app asks for access to contacts/camera/phone/SMS/photos/music/etc., it pops up a dialog where the user can confirm or deny permissions. Blackberry has had this model for over a decade, and it has been quite good.

Re:How many downloads?

[mrchaotica]

Droidwall needs a facelift, but it is a decent front end for iptables.

According to FDroid, Droidwall got abandoned, forked and renamed to AFWall+.

Re:

[mythosaz]

Smart Tools components are available individually and only require the permissions necessary to work.

https://play.google.com/store/apps/details?id=kr.sira.flash [google.com]

The suite requires bit more...

Re:

[BasilBrush]

Sad isn't it, that it's such a chore on Android to even find something as basic as a decent flashlight app.

Re:

[RenderSeven]

In this case its probably somewhat a victim of its simplicity. Its trivial to bang out a flashlight app so its probably a good choice for malware/crapware, and it doesnt set the bar high for getting plenty of +5 ratings

But in general, yeah its sad. I'd like to see Google come up with some form of reputation credentials. I like the openness of Google Play as opposed to Apples Walled Garden, but this is a huge downside. I think Play should list the permissions in the play store summary, rather than have to d

Re:

[turning in circles]

I am still unhappy about the internet accessibility of the apps that T-Mobile preloaded onto my phone, that I can't get rid of without jailbreaking the phone. The apps I download, I can control, but the ones preinstalled - (e.g. Yelp? Why do I want Yelp to know everything about me all the time?) - I'm stuck with.

Re:

[BasilBrush]

How many people install the adware apps, though? I'd wager that the proportion of _downloads_ of adware is significantly less than 1.2%.

The double think is fascinating. On the odd occasion, perhaps once a year, when some malware app manages to circumvent both the Apple app sandbox and the app approval process, to be listed on the Apple App Store, the Slashdot typical reaction is: "See, the walled garden approach is totally broken".

But when we have reports of a 1.2% of Android apps being malware, the typical response is: "Well that doesn't matter if not so many people download them".

I'm saying malware rather than your "adware", because there

All or nothing approach is silly

[Mr_Silver]

I personally dislike Google's all-or-nothing approach to permissions. It gives the user a complete list of things (some of which may be valid and some not) with absolutely no context as to why they need this and then basically tell you that if you want the app then you have to accept the lot.

Coupled with a barely managed market place, you're just asking for someone to slip something malicious into the store and for anyone downloading it to blindly hit "accept".

A better method would be to rationalise some of the permissions (for example, do you really need to spook everyone with "read call state" given that it's used to suspend an app when a call comes in?) and then pop up a request to access the other permissions at the time when they are needed - a la iPhone.

That way I know why my app wants to access my contacts (because I've just pushed the button that says "invite a friend to a game") and also means that if I'm not comfortable with it having access to my call history then I can decline and still have the opportunity to continue using it.

Re:

[Nerdfest]

As a solution to the 'barely managed marketplace', you could use another marketplace, like Amazon, or F-Droid mentrioned above. I wonder if anyone is working on a more tightly curated market for Android. I would think that there's money to be made from the more security-conscious.

Re:

[Jartan]

Apart from F-Droid none of the stores are actually curated. They all want tons of free apps so they won't ever discriminate against user tracking/adds.

That's fine if you only use open source. For the rest of us it's a huge pain in the ass.

Re:

[Windwraith]

A paid app means giving your dox for the crooks to steal, man! No security-conscious guy would do an online purchase, because it's one of the safest ways to identify an individual online. Just the receipts going into your inbox with your full name, ripe for google and the NSA to correlate to your person.
There's no money to be made from those guy, unless there's a truly anonymous currency system.

Re:All or nothing approach is silly

[vidnet]

pop up a request to access the other permissions at the time when they are needed

Because that worked so well for Vista?

Re:

[BasilBrush]

It works well for iOS.

That Microsoft got it wrong on Vista is irrelevant when there is a mobile phone example that got it right.

Re:

[Luthair]

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

It would be nice if the Android model presented a little more granular information at times, e.g. its perfectly reasonable for a media application to know a phone call is on going in order to pause, but last I checked this was lumped in with knowing who called and a few other pieces. From a

Re:All or nothing approach is silly

[tlhIngan]

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions (as opposed to the iphone model in which the user is never told what the application can do).

Except to 99.99% of Android users, that permission information is completely useless to them. They don't know what it means, other than it's a screen that pops up whenever they install anything. They don't read it, they just tap Install and be done with it.

The technical term is Dancing Pigs [wikipedia.org] (or dancing rabbits), and it describes basically that the user is most likely not pick the right choice security wise. They see an app in the Play store, tap install, then up comes the list of gobbledygook with a button that says "Install". They bypass the list and tap install, because they just wanted to install the app.

Relying on the user to make security decisions is poor security - all it affords you is the ability to blame the user for this mischoices, except said user is part of the very large majority who don't understand the screen, don't understand the need for it, and certainly don't understand why they need to spend the time reading it.

And that doesn't even get into the weird permissions you need in order to do stuff (like Read Phone State and Identity to get notifications when someone is calling).

The iPhone model isn't any better, but popping up extra dialogs doesn't work. Though, iOS at least does notify you and give you the ability to decline individual permissions (e.g., to stuff like location information, contacts and other stuff). But it too suffers from popup-it is.

Hell, the user can monkey around with some pretty complex steps if you tell them how to do it in small easy steps and they see benefit at the end. It's how they can do stuff like install OpenSSH, run PuTTY and enter in complex command lines - as long as they want to do it, they'll blindly follow. It's how the early jailbreak viruses spread - because people would do them to pirate apps and such and leave OpenSSH running with default passwords (because the HOWTO they used didn't tell them they needed to).

And I'm almost certain if you've helped someone tat they'll say something like "every time I print, nothing comes out of the printer" despite every time they print, a big screen shows saying "NO PAPER IN TRAY". No, they don't read dialogs either (happens with developers as well - the solution may be right there staring them in the face...).

Re:

[BasilBrush]

Android's permission model is far from all or nothing, it is entirely declarative and applications do not have all permissions

You seem to have misunderstood what the previous poster was saying. With Android, if an app requires permissions A, B and C, then you have to give permission for all of A, B and C, or you can't run the app at all. That's all or nothing permissions.

With iOS, the app might require permissions A, B and C (which will be requested at the time the app first needs each one. And you might only give permission for A and C. And the app will still run. It will be missing the functionality that requires permission B. But everything else will work. That's selective permissions.

It would be nice if the Android model presented a little more granular information at times

If you want to make Android even less user friendly than it already is.

Re:

[zequav]

There is App Ops in android >=4.3. Install App Ops Starter and disable the permissions you don't want to grant to an app.

Re:

[coolmadsi]

There is App Ops in android >=4.3. Install App Ops Starter and disable the permissions you don't want to grant to an app.

I have that installed (first Nexus 7, Android 4.3) - it looks like there are some permissions that can't be disabled (internet access for example). Otherwise it is quite nice (it also says the last time the app used the permission, and if it has used it)

Re:

[MetalOne]

I wish it would go a step further and not give any apps access to the contacts. It seems to me that an app that needs a contact should make a request to the operating system. The operating system could present the contacts to the user to select one, and then the operating system could return an opaque handle representing the contact to the app. The opaque handle could then be used to send email or what not.

Re:

[cyberfunkr]

The main problem of this is the developer now has the onus of describing to the user exactly WHY they really need that functionality within the app, and put in warnings and error screens if the user decides to turn off/disallow access. This adds a huge amount of bulk/overhead to even the simplest of apps.

What happens if a photo editing software is denied access to your camera and/or saved photos? It appears broken so the developer gets negative reviews. This is an obvious example, but there could be more hi

Re:

[interkin3tic]

Coupled with a barely managed market place

I seem to recall there being a lot of outcry when google banned a developer or two from the store. Now you're saying it's barely managed? You realize you can't have it both ways. You can't have it accessible to all (which I think is a major advantage of these virtual stores) AND have it completely free of slime.

Re:

[interkin3tic]

I realize it sounded like I was making an accusation of hypocrisy, and your objection is fair. I should have phrased it more like "Google can't please everyone between too managed and not managed enough." Or maybe said that it's already more managed than some people would like.

Re:

[thetoadwarrior]

Google needs the all or nothing approach or you might stop their programs from sucking your data out of your phone.

Re:All or nothing approach is silly

[mlts]

The problem is that Google's model works for people who know what they are doing.

However, one reason iOS is so successful is the perception that you don't have to watch anything. If it is on Apple's store, it is safe for human consumption.

The majority of the people out there will not look at the permissions an app wants, and just tap "accept". Android's model works with savvy users, but for the teen texter who barely can type while holding the steering wheel, it has its issues.

Two ways to fix this: Go with additional permission requests upon first use like Apple or Blackberry's offerings, go with a tier of Play Store which is heavily curated, or both.

Re:

[Anonymous Coward]

The problem is that Google's model works for people who know what they are doing.

However, one reason iOS is so successful is the perception that you don't have to watch anything. If it is on Apple's store, it is safe for human consumption.

The majority of the people out there will not look at the permissions an app wants, and just tap "accept". Android's model works with savvy users, but for the teen texter who barely can type while holding the steering wheel, it has its issues.

Two ways to fix this: Go with additional permission requests upon first use like Apple or Blackberry's offerings, go with a tier of Play Store which is heavily curated, or both.

Fix 3: Parental Controls > Require password for new apps. Poof the device is now safe in the hands of your teenager or grandmother.

Re:

[BasilBrush]

Fix 3: Parental Controls > Require password for new apps. Poof the device is now safe in the hands of your teenager or grandmother.

Only works for those teens or grandparents that have a phone bought for them by a geek parent or grandson. Which is a small minority. So not really any kind of worthwhile fix for the platform.

Mozilla does that too.

[Animats]

Mozilla allows that, too. There's a slimeball company [wips.com] that takes over abandoned Firefox add-ons, adds spyware, and puts them up on Mozilla's "store". They did this to BlockSite [nabble.com]. Users were very angry. [mozilla.org]

Mozilla's reaction? Mozilla's add-on policies [mozilla.org] prohibit this: "Whenever an add-on includes any unexpected* feature that ... compromises user privacy or security (like sending data to third parties)" ... "These features cannot be introduced into an update of a fully-reviewed add-on; the opt-in change process must be part of the initial review." The spyware was just fine with Jorge Villalobos [mozilla.org], Mozilla's add-on project manager, who wrote "That's outdated, since we don't enforce that policy."

You can't trust the Mozilla Foundation any more. That's sad.

Opt-in though?

[grimJester]

That's outdated, since we don't enforce that policy. As long as the feature is opt in, it is acceptable to introduce it in an update.

Re:Opt-in though?

[Animats]

As long as the feature is opt in...

The "opt in" was more like "we're making you an offer you can't refuse." [mozillazine.org] It was pushed as an update to an existing add-on. The page with the terms was deliberately confusing. The privacy policy was originally missing. Some users reported that if you refused the tracking, the add-on then blocked major sites such as Flickr.

I was amazed that got past Mozilla's approval process. They've sold out.

Amazon App Store?

[Neuroelectronic]

I wonder if the Amazon android marketplace has this issue. I wonder if anyone even cares.

Quantity over quality

[rudy_wayne]

Google Play has recently surpassed the one million mark when it comes to the apps it offers

There's the problem right there. It isn't possible to have 1 million apps that are actually useful. Not even close. Just that number alone tells you that there is a problem -- that you have an enormous number of apps that are simply duplicates of others or malicious or just plain useless.

Re:Quantity over quality

[mythosaz]

Useless to whom?

There's a ton of duplication, but not without some feature or preference issue. While I can imagine that the most obvious flashlight features are duplicated across all flashlight apps, I'm sure that there's a number of features (like support for specific phones and odd hardware lights, and widgets) preferences (tray icon, UI), or innovations (auto-off, strobe) that haven't been incorporated into the One True Flashlight App just yet. ...now when you want the one with the "help me" strobe that supports S4 gestures to change modes, you need some duplication.

There's also a dozen niche apps. How many Magic The Gathering life counters do you need? [I'm nerd enough to know there's plenty of room for different apps here.] How many keyboards do you need? How many pop the bubbles games do you need?

Just because you can't run a million apps doesn't mean that the thousand you could possibly use are the same as the thousand I could possibly use. Combine your thousand and my thousand and now we've probably got only 100 that overlap. You couldn't care less about having multiple Nissan Leaf apps because Torque Pro doesn't support reading advanced battery values from it -- but I do. Someone else cares about all sorts of stuff neither of us do.

Re:

[mythosaz]

Maybe there is 1000 that I think I might want - I think there are probably about 10 I actually would use on a regular basis.

To be clear, I've got 95 icons on my phone, meaning I've got 60 things that aren't "Phone," "Settings," or the full suite of Google apps.

I use about 5 of those on the average day.
I use about 15 of those in an average week.
I've probably got 10 of them I can delete right now - but space is cheap.

Not a month goes by ...

[guanxi]

Not a month goes by ...

  * Without someone finding salmonella in a piece of chicken
  * Without someone finding a defect in a new GM car
  * Without someone's computer crashing
  * Without someone finding a spelling error in a Slashdot post ...

Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?

Re:

[koan]

"Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?"

You need a comparison, what's Apple's rate?

Re:

[coinreturn]

"Out of 420,000 apps, does finding malware every month really signify something? Or is 1% a high rate?"

You need a comparison, what's Apple's rate?

As TFA states: "By design, Android applications can be disassembled, modified and reassembled to provide new functionalities."

Fortunately, that's not the case in the "walled garden" of derision.

Re:

[BasilBrush]

Assuming the same rat on all apps on the app store, 1.2% is 12,000 apps.

Apple's rate is as close to 0% as makes no difference. There are few enough that every one that is found makes it's own media storm.

What is being added

[Fnord666]

Here [hotforsecurity.com] is a decent graphic showing just what is being added to these repackaged applications.

Link to the original article

[Fnord666]

here [hotforsecurity.com] is the original article in case anyone is interested. It goes into greater detail about the issues involved.

Re:

[adisakp]

Did the Net-Security.org site repackage this article before it was repackaged by Slashdot?

Laugh

[koan]

Google should be proactive about this (more so if they already are) because in a sense they are starting to become the Microsoft of mobile, with crap embedded and 3rd party apps.

I guess I have a winner for my "Who can fuck up Linux the worst" contest.

Avoidance

[xigxag]

A couple of simple things can be done to avoid phone malware.

1) Investigate the app before you install it. Click on the developer's web page and see if it looks legit. Read the reviews. Check to see that the permissions it's asking for have a legitimate purpose.

2) As TFA notes, most of these malware apps are free. Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.

3) In other words, remember that your phone is a computer. Don't take careless risks with your phone or tablet that you would never take with your desktop or laptop.

Re:

[coinreturn]

Stay away from "free" apps from unknown developers. You're better off paying 99c, $1.99, $2.99 to give the developer a legitimate revenue stream than incentivizing them to pimp you out to shady third party advertisers.

Good advice. I need to start charging for my shady, repackaged malware on Google Play.

I am shocked!

[deviated_prevert]

How soon people forget there are still all sorts of places to get modified Windows toolbars and shit ass apps like bear share and the likes for free and most of them hose you and phone home to momma. Most likely it is the same crowd of assholes that are modding Android apps and including phone home features that did shit like bear share and all the other Windows crapware back in the 90's. I just wonder how many of the gambling and porn sites are distributing free shit apps for Android, most likely about the

Re:

[toonces33]

I had to clean up my sister-in-laws computer at one point. People had been downloading "free" games from god knows where, and it was horribly infected with all sorts of malware. When I got a hold of the thing, it wouldn't boot because of the crap that was installed.

Application policy

[WaffleMonster]

The only prompt which should ever appear when installing an App is for owner to select a profile of permissions the owner of the device feels comfortable giving to the application. Once this decision is made operating system is expected to do whatever is necessary to sell the lie that Rumpelstiltskin at 7185551212 is my only contact, my current location is the South Pole and my phone number is 1-900-909-4300.

The problem is none of the current cast of characters - not Microsoft, Google, Apple give a shit about the user they only care about profits which is why the user is always allowed to be treated like shit. Their days of owning the mobile OS space are numbered.

FUD

[morgauxo]

From the tone of the article this sounds scary!

But really, 1.2% Come on! That's tiny! 1.2% tells me Google is doing a pretty good job!

Repackaged versions of real apps? Oooooh... scary! If you see a second copy of an app, especially one with worse ratings, or a free app with a different author than the same paid app.. DON'T INSTALL IT. Duh!!

Re:

[BasilBrush]

But really, 1.2% Come on! That's tiny! 1.2% tells me Google is doing a pretty good job!

Compared to?

Apple is so close to 0% as makes no difference. It's not possible to package someone else's app as your own. And malware is so rare, each single one becomes a significant media story.

Meh

[excelsior_gr]

This means that I blindly need to install about 100 apps in order to get one or two that are "malicious". If some effort is invested in judging the legitimacy of the apps, then all 100 installs will probably turn out to be ok. This sounds pretty fine to me.

Gardener wanted

[saha]

Perhaps the Android garden doesn't need a wall, but it could really use a full time gardener

Fake permissions

[corvax]

Was it paranoiod android or cyanogenmod that had a system in which it gave these apps fake info and sandboxed them ....The apps installed but privlidges revoked?

Apps are a cesspit

[ObsessiveMathsFreak]

Apps are a cesspit of cheap wares, flashy icons, and dubious peddling of every description. The app stores most resemble the cheap ads section of tabloid newspapers, and may as well have LET THE BUYER BEWARE and similar slogans etched in 50 foot high letters over the entrance.

There is no quality control for apps, no guarantees, no trust, no reliability, and in the vast majority of cases, no useful purpose. If this is the future of the software industry, then the software industry has no future.

If I wanted t

Re:

[deviated_prevert]

You're only making me STRONGER each time you fools bogusly downmod my posts on hosts (you know that, don't you?) & yet you can't offer ANY valid technical critique vs. my points

... apk

It wasn't me that down-modded you, but holy crap how long did it take you to enter all the bees,

pees

and a hrefs? [slashdot.org] surprised you didn't use

quote

or

li

I commend you sir for being the most imaginative anon coward I have ever had the privilege of responding to on Slashdot!

If you have a blog please post a link as I find deciphering html from hell to be an absolute blast.

Best wishes, look on the bright side of things. There might be a job for you at healthcare.gov designing secure phone apps that modify etc/hos